# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
# Date: 2020-03-09
# Exploit Author: Ahmed Sherif
# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
# Software Link: [https://www.sysaid.com/free-help-desk-software
# Version: Sysaid v20.1.11 b26
# Tested on: Windows Server 2016
# CVE : None
GhostCat Attack
The default
installation of Sysaid is enabling the exposure of AJP13 protocol which is used
by tomcat instance, this vulnerability has been released recently on
different blogposts
<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.
*Proof-of-Concept*
[image: image.png]
The
attacker would be able to exploit the vulnerability and read the Web.XML of
Sysaid.
Unauthenticated File Upload
It was
found on the Sysaid application that an attacker would be able to upload files
without authenticated by directly access the below link:
http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=
In the above screenshot, it shows that an attacker can execute commands
in the system without any prior authentication to the system.