Sysaid version 20.1.11 b26 suffers from an AJP13 remote command execution vulnerability.
aa02b3b8eb6735d2b6c2a11c9efc3402# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
# Date: 2020-03-09
# Exploit Author: Ahmed Sherif
# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
# Software Link: [https://www.sysaid.com/free-help-desk-software
# Version: Sysaid v20.1.11 b26
# Tested on: Windows Server 2016
# CVE : CVE-2020-10569
GhostCat Attack
The default
installation of Sysaid is enabling the exposure of AJP13 protocol which is used
by tomcat instance, this vulnerability has been released recently on
different blogposts
<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.
*Proof-of-Concept*
[image: image.png]
*Unauthenticated File Upload
*
It was found on the Sysaid application that an attacker would be able
to upload files without authenticated by directly access the below
link:
http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=
In the above screenshot, it shows that an attacker can execute commands
in the system without any prior authentication to the system.