Attack Chain

1. The attacker identifies a vulnerable instance of Twitter-Clone 1.
2. The attacker crafts a malicious SQL injection payload. This payload is designed to extract data from the database or perform other unauthorized actions.
3. The attacker sends an HTTP GET or POST request to the search.php endpoint, embedding the malicious SQL payload within the name parameter.
4. The search.php script processes the request and incorporates the attacker-supplied name parameter into a SQL query without proper sanitization or parameterization.
5. The database server executes the attacker’s malicious SQL query.
6. The database server returns the results of the malicious query to the search.php script.
7. The search.php script displays the results of the query (including sensitive data or error messages revealing database structure) to the attacker.
8. The attacker uses extracted data to further compromise the system or gain unauthorized access to user accounts.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2018-25364) can lead to the unauthorized disclosure of sensitive information stored within the application’s database. This may include usernames, passwords, email addresses, and other personal data of users. Attackers can leverage the vulnerability to gain complete control over the application’s data and potentially the underlying server.

Recommendation

• Inspect web server logs for suspicious requests to search.php containing SQL syntax within the name parameter to detect exploitation attempts.
• Deploy the Sigma rule detecting SQL injection attempts against the search.php endpoint.
• Consider using a Web Application Firewall (WAF) with updated rules to block SQL injection attacks against web applications.