It doesn't look at all like a SQL Injection vulnerability, I really don't think that's what causing it. Why do you thinks it's a SQL Injection? I'd say it's rather some subtle error in code that calculates the reward or handles the timer or both. Either way it's probably not trivial and would require a lot of time and effort to fully analyze. You can't expect that I'll fix every random script out there, that's just impossible. I have FaucetBOX.com, Faucet in a Box script and ScanTheBOX.com to maintain, that's engaging enough.
If you don't mind me asking, what makes it not look like a SQL Injection vulnerability? From what I can see in the code, there is nothing to escape any of the strings before running them.
For example, on core.php at line 169 (In the default script from gitlabs, looking at another faucet owner's script from this vulnerability it seems to be line 300), this function is used to run any SQL querys throughout the script:
function sql_query($sql)
{
global $mysqli;
return $mysqli->query($sql);
}
It literally gets the connection from config.php and runs the query. If this is as simple as it looks and there are no escape strings, this is a huge error in the script.
Perhaps using something similar to this:
function sql_query($sql)
{
global $mysqli;
$sql = $mysqli->real_escape_string($sql);
return $mysqli->query($sql);
}
Will solve the problem, as it escapes the string before continuing with the query.
Hearing thefaucetrunner talk about SQL injection made me think about this again and had me search through all of the files to try and find this function. Apologies for not finding it earlier.