Sysaid 20.1.11 b26 – Remote Command Execution

• Exploit Database
• 11 阅读

• 作者： Ahmed Sherif
  日期： 2020-03-10
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/48188/

• # Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
  # Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
  # Date: 2020-03-09
  # Exploit Author: Ahmed Sherif
  # Vendor Homepage: https://www.sysaid.com/free-help-desk-software
  # Software Link: [https://www.sysaid.com/free-help-desk-software
  # Version:Sysaid v20.1.11 b26
  # Tested on: Windows Server 2016
  # CVE : None
  
  GhostCat Attack
  
  The default
  installation of Sysaid is enabling the exposure of AJP13 protocol which is used
  by tomcat instance, this vulnerability has been released recently on
  different blogposts
  <https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.
  
  
  *Proof-of-Concept*
  
  [image: image.png]
  
  The
  attacker would be able to exploit the vulnerability and read the Web.XML of
  Sysaid.
  Unauthenticated File Upload
  
  It was
  found on the Sysaid application that an attacker would be able to upload files
  without authenticated by directly access the below link:
  
  http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=
  
  
  
  In the above screenshot, it shows that an attacker can execute commands
  in the system without any prior authentication to the system.