After the browser receives the request, a RenderView is created by content::RenderFrameHostManager::InitRenderView, and a RenderWidget is created within the RenderView as follows:
This function calls a function in the web_contents_impl class to create a RenderView:
Finally, the web_contents_view_aura class is called to create a RenderWidgetHostViewAura object.
At this point, a RenderWidgetHostViewAura object is created. In the initialization function of the RenderWidgetHostViewAura, relevant functions are called to set the view_ variable to itself, as shown below:
The above code calls the SetView function of the RenderWidgetHostImpl class to set the view_ member variable to the passed-in this pointer:
In the POC code, a request is made to share the content of the current screen, which requires user authorization. The authorization process is as follows:
This function calls a function in the web_contents_impl class to create a RenderView:
Finally, the web_contents_view_aura class is called to create a RenderWidgetHostViewAura object.
At this point, a RenderWidgetHostViewAura object is created. In the initialization function of the RenderWidgetHostViewAura, relevant functions are called to set the view_ variable to itself, as shown below:
The above code calls the SetView function of the RenderWidgetHostImpl class to set the view_ member variable to the passed-in this pointer:
In the POC code, a request is made to share the content of the current screen, which requires user authorization. The authorization process is as follows:
Due to the fact that the main functions of Chrome are implemented in the chrome.dll file, and this DLL has not been loaded at this time, use the sxe ld chrome command to tell Windbg to interrupt after the chrome.dll file is loaded. Enter g to run the program and wait for the program to be interrupted. Use the lm command to confirm whether the chrome.dll file has been loaded:
After the chrome.dll file is loaded, you can use the .reload /f chrome.dll command to load the symbols of the chrome.dll file, as shown in the following figure:
The warnings that appear below can be ignored. After the symbols are loaded, you can perform source-level debugging, as follows:
After the chrome.dll file is loaded, you can use the .reload /f chrome.dll command to load the symbols of the chrome.dll file, as shown in the following figure:
The warnings that appear below can be ignored. After the symbols are loaded, you can perform source-level debugging, as follows:
Chromium issue 1187403 describes a UAF vulnerability. The PoC is as follows:
This code attempts to share the content of the current page. In the Chrome browser, a pop-up window will appear asking the user for authorization, as shown below:
When the window is closed, if the redraw task of the window is still in the task queue, the task will be scheduled normally. However, there is a pointer cache of the window in the relevant class, and the pointer will be dereferenced, resulting in a UAF.
This code attempts to share the content of the current page. In the Chrome browser, a pop-up window will appear asking the user for authorization, as shown below:
When the window is closed, if the redraw task of the window is still in the task queue, the task will be scheduled normally. However, there is a pointer cache of the window in the relevant class, and the pointer will be dereferenced, resulting in a UAF.
It is necessary to set secure_file_priv to empty, i.e., secure_file_priv = ''; or secure_file_private should be the disk path where the general_log_file is stored. However, general_log_file can be modified directly through SQL statements. It must be changed to a file with a PHP extension, otherwise the log cannot be parsed:
Then, a new log file named 1.log will appear under the D drive. However, it is also necessary to consider whether the connection to the log can be successful. For example, if secure_file_priv is fixed to G:\, and the website is hosted on the D drive, modifying general_log_file to a file under the G drive will not allow successful connection, unless there are vulnerabilities in the file or other issues.
Then, a new log file named 1.log will appear under the D drive. However, it is also necessary to consider whether the connection to the log can be successful. For example, if secure_file_priv is fixed to G:\, and the website is hosted on the D drive, modifying general_log_file to a file under the G drive will not allow successful connection, unless there are vulnerabilities in the file or other issues.
By combining the clickjacking vulnerability with the reflected XSS vulnerability, it can be transformed into a stored XSS vulnerability. The most important feature of the reflected XSS vulnerability is that it is difficult to exploit. Therefore, attackers can convert the reflected XSS vulnerability into a stored XSS vulnerability through the clickjacking vulnerability. As long as the user clicks to trigger this vulnerability, they can execute any JavaScript code in the user's browser, which is extremely dangerous. Here's an example:
In this case, the target site has a reflected XSS or Self-XSS vulnerability. The page is the one in the following picture, which is a large text box. Entering <script> alert(document.cookie)</script> will pop up the cookie, indicating the presence of Self-XSS:
The target site also has a clickjacking vulnerability. We checked the response and found that the target site did not set the X-Frame-Options header, so the clickjacking vulnerability exists:
In this case, the target site has a reflected XSS or Self-XSS vulnerability. The page is the one in the following picture, which is a large text box. Entering <script> alert(document.cookie)</script> will pop up the cookie, indicating the presence of Self-XSS:
The target site also has a clickjacking vulnerability. We checked the response and found that the target site did not set the X-Frame-Options header, so the clickjacking vulnerability exists:
To make this attack more effective, the requested resource should be as large as possible. For example, the test image test.png in my case is over 4MB in size. If the target website doesn't have such a large resource, but if it supports http_pipelining, you can use the method of requesting the same resource multiple times in the same connection to increase the returned content. As can be seen from the captured packets, when requesting the test.png resource, the client's window size was deliberately set to 1120 bytes. After the client's buffer was filled with data from the server, a [TCP ZeroWindow] alert was issued, forcing the server to wait. From the start of the interaction to the disconnection, a single connection took 14 seconds. The captured data
Black Hole Technology specializes in coin fans, including pure foreign coin fans and accurate domestic coin fans. Coin market data, stock investor data, Japanese data, Korean data, and so on are all first-hand resources. We can help you build your own data pool and develop software to attract fans. As long as you make good use of the data, the cost won't be an issue at all
By installing various plug-ins, it can be turned into a powerful IDE (integrated development environment) suitable for developing all programming languages. Among them, a well-known remote development plug-in has attracted many hackers and greatly improved development efficiency