Twitter-Clone 1 SQL Injection via follow.php

Vulnerability

Twitter-Clone 1 contains a SQL injection vulnerability in the follow.php file. The vulnerable code directly concatenates the userid GET parameter into a SQL query without sanitization: $query = mysqli_query($con, "SELECT id FROM following WHERE user1_id='$user_id' AND user2_id='$follow_userid'") [2]. The userid parameter is unsanitized, allowing an attacker to inject arbitrary SQL. The application version affected is Twitter-Clone 1, as hosted on GitHub [1].

Exploitation

An attacker must be able to send HTTP GET requests to the vulnerable follow.php page with a crafted userid parameter. No authentication is required if the script is accessible without a session, though the source code indicates the attacker may need to provide both userid and username parameters. The exploit-db reference demonstrates both union-based and time-based blind SQL injection payloads, such as: userid=' UNION SELECT 1,2,user(),4,database(),6,7%23 [2]. A time-based blind payload like userid=' AND sleep(10)%23 can also be used to infer data based on response delays [2].

Impact

A successful SQL injection attack allows the attacker to extract sensitive data from the database, including usernames, passwords (or password hashes), database credentials, and other application data [2][3]. The attacker can potentially enumerate all user accounts and their passwords, leading to full account compromise and further privilege escalation within the Twiter-Clone application.

Mitigation

No official patch or fixed version has been released for this vulnerability. The vendor repository appears to be abandoned (no updates since 2018) [1]. The only mitigation is to update the application code to use prepared statements or parameterized queries for all database interactions, and to sanitize all user-supplied input. As of the publication date, this vulnerability is not listed on the CISA KEV catalog.