0a0ad49d15
7 changes to exploits/shellcodes Counter Strike: GO - '.bsp' Memory Control (PoC) Nagios XI - Authenticated Remote Command Execution (Metasploit) PHPStudy - Backdoor Remote Code execution (Metasploit) Sysaid 20.1.11 b26 - Remote Command Execution YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting Persian VIP Download Script 1.0 - 'active' SQL Injection
38 lines
No EOL
1.2 KiB
Text
38 lines
No EOL
1.2 KiB
Text
# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
|
|
# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
|
|
# Date: 2020-03-09
|
|
# Exploit Author: Ahmed Sherif
|
|
# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
|
|
# Software Link: [https://www.sysaid.com/free-help-desk-software
|
|
# Version: Sysaid v20.1.11 b26
|
|
# Tested on: Windows Server 2016
|
|
# CVE : None
|
|
|
|
GhostCat Attack
|
|
|
|
The default
|
|
installation of Sysaid is enabling the exposure of AJP13 protocol which is used
|
|
by tomcat instance, this vulnerability has been released recently on
|
|
different blogposts
|
|
<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.
|
|
|
|
|
|
*Proof-of-Concept*
|
|
|
|
[image: image.png]
|
|
|
|
The
|
|
attacker would be able to exploit the vulnerability and read the Web.XML of
|
|
Sysaid.
|
|
Unauthenticated File Upload
|
|
|
|
It was
|
|
found on the Sysaid application that an attacker would be able to upload files
|
|
without authenticated by directly access the below link:
|
|
|
|
http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=
|
|
|
|
|
|
|
|
In the above screenshot, it shows that an attacker can execute commands
|
|
in the system without any prior authentication to the system. |