Sign in

# Exploit Title: Online Examination System 1.0 — Reflected Cross-Site Scripting
# Date: 21/Nov/2020
# Exploit Author: Asfiya Shaikh
# Vendor Homepage: https://www.sourcecodester.com/php/14358/online-examination-system.html
# Version: 1.0
# Tested on: Windows 7

Description — Cross-site scripting (XSS) vulnerability in Online Examination System 1.0 via the w parameter to index.php.
Affected Component — http://192.168.0.175/OnlineExaminationSystem/index.php?w=<Vulnerable_Parameter>
Payload — <script>alert(1)</script>

Impact — Reflected Cross Site Scripting is relatively complex to exploit as the malicious payload has to be send as a part of URL and user should be tricked to visit that URL. However, it has the same impact as that of a persistent XSS. XSS can be used to hijack victim’s session and thereby gaining complete access to his/her user account. Additionally, it can be used to redirect victim to a malicious website which may contain browser exploits or a phishing page.

Reference — https://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet


# Exploit Title: Online Examination System 1.0 — Reflected Cross-Site Scripting
# Date: 21/Nov/2020
# Exploit Author: Asfiya Shaikh
# Vendor Homepage: https://www.sourcecodester.com/php/14358/online-examination-system.html
# Version: 1.0
# Tested on: Windows 7

Description — Cross-site scripting (XSS) vulnerability in Online Examination System 1.0 via the q parameter to feedback.php.
Affected Component — http://192.168.0.175/OnlineExaminationSystem/feedback.php?q=<<Vulnerable_Parameter>>
Payload — <script>alert(1)</script>

Impact — Reflected Cross Site Scripting is relatively complex to exploit as the malicious payload has to be send as a part of URL and user should be tricked to visit that URL. However, it has the same impact as that of a persistent XSS…


# Exploit Title: Online Examination System 1.0 — Persistent Cross-Site Scripting
# Date: 21/Nov/2020
# Exploit Author: Asfiya Shaikh
# Vendor Homepage: https://www.sourcecodester.com/php/14358/online-examination-system.html
# Version: 1.0
# Tested on: Windows 7

Multiple Stored XSS vulnerabilities was found in Online Examination System.This potentially allows for full account takeover.

Description — Any unauthenticated user can submit un-authenticated feedback as a malicious script included in feedback description box that would steal/ride a session of an admin user when admin tries opening the vulnerable feedback link.

# Proof of Concept

Step 1: Insert the following in “feedback” & “subject” parameter of feedback form (Home…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store