Chromium issue 1187403 describes a UAF vulnerability. The PoC is as follows:
This code attempts to share the content of the current page. In the Chrome browser, a pop-up window will appear asking the user for authorization, as shown below:
When the window is closed, if the redraw task of the window is still in the task queue, the task will be scheduled normally. However, there is a pointer cache of the window in the relevant class, and the pointer will be dereferenced, resulting in a UAF.
This code attempts to share the content of the current page. In the Chrome browser, a pop-up window will appear asking the user for authorization, as shown below:
When the window is closed, if the redraw task of the window is still in the task queue, the task will be scheduled normally. However, there is a pointer cache of the window in the relevant class, and the pointer will be dereferenced, resulting in a UAF.
It is necessary to set secure_file_priv to empty, i.e., secure_file_priv = ''; or secure_file_private should be the disk path where the general_log_file is stored. However, general_log_file can be modified directly through SQL statements. It must be changed to a file with a PHP extension, otherwise the log cannot be parsed:
Then, a new log file named 1.log will appear under the D drive. However, it is also necessary to consider whether the connection to the log can be successful. For example, if secure_file_priv is fixed to G:\, and the website is hosted on the D drive, modifying general_log_file to a file under the G drive will not allow successful connection, unless there are vulnerabilities in the file or other issues.
Then, a new log file named 1.log will appear under the D drive. However, it is also necessary to consider whether the connection to the log can be successful. For example, if secure_file_priv is fixed to G:\, and the website is hosted on the D drive, modifying general_log_file to a file under the G drive will not allow successful connection, unless there are vulnerabilities in the file or other issues.
By combining the clickjacking vulnerability with the reflected XSS vulnerability, it can be transformed into a stored XSS vulnerability. The most important feature of the reflected XSS vulnerability is that it is difficult to exploit. Therefore, attackers can convert the reflected XSS vulnerability into a stored XSS vulnerability through the clickjacking vulnerability. As long as the user clicks to trigger this vulnerability, they can execute any JavaScript code in the user's browser, which is extremely dangerous. Here's an example:
In this case, the target site has a reflected XSS or Self-XSS vulnerability. The page is the one in the following picture, which is a large text box. Entering <script> alert(document.cookie)</script> will pop up the cookie, indicating the presence of Self-XSS:
The target site also has a clickjacking vulnerability. We checked the response and found that the target site did not set the X-Frame-Options header, so the clickjacking vulnerability exists:
In this case, the target site has a reflected XSS or Self-XSS vulnerability. The page is the one in the following picture, which is a large text box. Entering <script> alert(document.cookie)</script> will pop up the cookie, indicating the presence of Self-XSS:
The target site also has a clickjacking vulnerability. We checked the response and found that the target site did not set the X-Frame-Options header, so the clickjacking vulnerability exists:
To make this attack more effective, the requested resource should be as large as possible. For example, the test image test.png in my case is over 4MB in size. If the target website doesn't have such a large resource, but if it supports http_pipelining, you can use the method of requesting the same resource multiple times in the same connection to increase the returned content. As can be seen from the captured packets, when requesting the test.png resource, the client's window size was deliberately set to 1120 bytes. After the client's buffer was filled with data from the server, a [TCP ZeroWindow] alert was issued, forcing the server to wait. From the start of the interaction to the disconnection, a single connection took 14 seconds. The captured data
Black Hole Technology specializes in coin fans, including pure foreign coin fans and accurate domestic coin fans. Coin market data, stock investor data, Japanese data, Korean data, and so on are all first-hand resources. We can help you build your own data pool and develop software to attract fans. As long as you make good use of the data, the cost won't be an issue at all
By installing various plug-ins, it can be turned into a powerful IDE (integrated development environment) suitable for developing all programming languages. Among them, a well-known remote development plug-in has attracted many hackers and greatly improved development efficiency