Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-13063 PoC — Tyto Software Sahi Pro 路径遍历漏洞

Source
https://github.com/0x6b7966/CVE-2019-13063-POC
Associated Vulnerability
Title:Tyto Software Sahi Pro 路径遍历漏洞 (CVE-2019-13063)
Description:Tyto Software Sahi Pro是印度Tyto Software公司的一套自动化测试工具。 Tyto Software Sahi Pro 8.0.0版本中存在路径遍历漏洞。攻击者可通过发送特制的URL该漏洞窃取敏感的配置文件和其他文件。
Description
Proof of concept tool to exploit the directory traversal and local file inclusion vulnerability that resides in the Sahi-pro web application CVE-2019-13063
Readme
# CVE-2019-13063 Proof of concept
![Python 3](https://img.shields.io/badge/python-3.6-blue.svg)

## About

An issue was discovered in Sahi-pro script manager web-application, there is both a file and directory traversal vulnerability which resides in the ?script= parameter which is found on the /Script_view page of the Sahi-pro webapplication. An attacker can send a specially crafted URL to retrieve and steal sensitive files from the victim.

This is a proof of concept tool to exploit the directory traversal and file traversal vulnerability that resides in the Sahi-pro web application.

**Impact:** Within the Sahi-pro web-application software, there is a directory and file traversal vulnerability which result in the leakage of sensitive information from the application, or it can be used to pull direct systems files.

The ?script= parameter on the script_view page is susceptible to file and directory traversal to list the contents of files.

## Usage

Run it like this:
`$ python3 CVE-2019-13063-POC.py --url http://example:[REDACTED]`
*This will download the applications product key.*

Specify the full URL, including the file you wish to download appended to the vulnerable ?script= parameter.

```
usage: CVE-2019-13063-POC.py [-h] [--url URL]

optional arguments:
  -h, --help  show this help message and exit
  --url URL   Specify the vulnerable URL

```

## Sensitive files which may lead to direct application compromise

```
Sahi User properties file - \sahi_pro\userdata\config\userdata.properties
Sahi data profile - \sahi_pro\userdata\browser\ff\profiles\sahi0\prefs.js
Sahi properties file - \sahi_pro\config\sahi.properties
Sahi Product key location - \config\productkey.txt
```

## Other 

This script will just attempt to download the entire page, you could easily parse out the wanted content from the page since it is between the unique `<ol><li>` HTML parameters with a simple bash one liner.
  
Example to parse out the product key: 
 
```
cat output.txt | grep "<ol><li>" | cut -d ">" -f3 | cut -d "<" -f1

1a79a4d60de6718e8e5b326e338ae533
```
File Snapshot

 [4.0K]  /data/pocs/cb97aeaa9bb6e6bd1b70a638bb863a5d40bff95c
├── [ 888]  CVE-2019-13063-POC.py
├── [ 34K]  LICENSE
├── [2.0K]  README.md
└── [   9]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.