π PHP Education Manager β All-in-one platform for schools & colleges! π Courses | π¨βπ Students | π Resources | π Admin Panel Simple, smart & scalable education system powered by PHP! ππ‘
Github addressοΌhttps://github.com/Iqbolshoh/php-education-management
Attackers can exploit a stored Cross-Site Scripting (XSS) vulnerability in the form submission functionality, allowing them to inject malicious scripts that execute when administrators view the submissions. This enables theft of administrator session cookies through crafted payloads.
In the worksheet.php file, the participant_name parameter is obtained directly from the raw $_GET request and is stored in the database without any filtering or escaping:
Then, in the results.php admin page, the value is read directly from the database and output directly to the HTML response without any escaping:
This allows attackers to fill in malicious XSS attacks constructed in advance, triggering the attack when the administrator views the corresponding content.
Fill in the corresponding content in worksheet.php, and then burpsuite capture the package.
The attacker constructs a special format for the participant_name parameter value:
POST /worksheet.php?lessonid=1&participant_name=</td></tr></tbody></table><script>alert(1);</script> HTTP/1.1
Host: www.education.eek
Content-Length: 264
Connection: keep-alive
test_answer_2=a&test_answer_1=b&tru_false_answer_1=c&dropdown_answer_1=todo&dropdown_answer_2=underw&fill_in_the_blank_answer_2=123e&fill_in_the_blank_answer_1=123f&matching_answer_1=Animalh&matching_answer_3=Fruitj&matching_answer_2=Fruitk&answers%5B0%5D=detected
The malicious value is directly stored in the database. When the administrator accesses the result viewing page (results.php), the malicious script in the database is directly rendered and executed:
Note that the lessonid corresponding to the attack here is the same as the one you accessed at admin/results.php?lesson_id=1.