# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
# Date: 2020-03-09
# Exploit Author: Ahmed Sherif
# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
# Software Link: [https://www.sysaid.com/free-help-desk-software
# Version:  Sysaid v20.1.11 b26
# Tested on: Windows Server 2016
# CVE : CVE-2020-10569

GhostCat Attack

The default
installation of Sysaid is enabling the exposure of AJP13 protocol which is used
by tomcat instance, this vulnerability has been released recently on
different blogposts
<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.


*Proof-of-Concept*

[image: image.png]

*Unauthenticated File Upload
*
It was found on the Sysaid application that an attacker would be able
to upload files without authenticated by directly access the below
link:
http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=



In the above screenshot, it shows that an attacker can execute commands
in the system without any prior authentication to the system.