Twitter-Clone 1 SQL Injection via search.php

Vulnerability

The Twitter-Clone 1 application, developed by Fyffe, is vulnerable to SQL injection in the search.php endpoint [1][2]. The $_GET['name'] parameter is directly concatenated into a SQL query without sanitization, allowing error-based injection using extractvalue [2]. Affected files include search.php, mailactivation.php, and stalkers.php, but the primary unauthenticated vector is search.php [2]. The vulnerable code path is active when $_GET['name'] is not empty, and the query is executed via mysqli_query with the LIKE clause [2].

Exploitation

An attacker does not need authentication to exploit the vulnerability in search.php [1][3]. By submitting a crafted payload such as %' AND extractvalue(1,concat(0x3a,database(),0x3a))%23 in the name parameter, an unauthenticated remote attacker can trigger error-based SQL injection [2]. The application displays database errors to the user, enabling the attacker to extract information like the database name, usernames, and credentials [2][3]. For union-based attacks, the attacker can use ' UNION SELECT ... on search.php, mailactivation.php, or stalkers.php to retrieve arbitrary data [2].

Impact

Successful exploitation allows an attacker to extract sensitive database contents, including usernames and credentials [3]. The attacker can retrieve system data such as the current database user via user() and enumerate other tables [2]. This constitutes a breach of confidentiality and can lead to account takeover or further system compromise [3].

Mitigation

No official fix or patched version has been released for Twitter-Clone 1 [1][2]. The repository appears unmaintained, and the vulnerability remains unpatched as of the latest available references [1]. Users running this application should consider it at end-of-life and migrate to a supported alternative [3]. Input validation and parameterized queries should be implemented to prevent SQL injection if continued use is necessary [2].