XSS Injection with SQLi (XSSQLi) Well After our discussion on different types of injection and places you can find SQL injection Vulnerability, an attacker can successfully exploit and SQL injection vulnerability and get access over the database and if he is enough lucky to get access to the File System also by uploading shell.

Now we are moving the whole scene to a different screen. Thinking What else and more we can do with a SQL Injection vulnerability. So here is SiXSS which stands for SQL Injection XSS attack. If you are new to XSS i would suggest you to read N00bz Guide to XSS injection attack. Reading the guide will give you a basic understanding to XSS attach how it can be performed and what an attacker can achieve with XSS injection attack.

Over here we will only be concentrating over the SQL injection and how to perform a basic XSS attack using SQL injection, rest you can learn more on XSS to achieve a better results using the same XSS.

To achieve SiXSS we have to go through the following steps.

0. The Basic and n00bish way.
1. Finding the Vulnrability.
2. Preparing the Injectable Query.
3. Injecting XSS into the Query.


The Basic and N00bish way.

I don't like this way much as its flashes the error on the webpage and in many cases you may not get the whole page but just a blank page with error and its not at all fun. But as its also one of the ways so lets take a vulnerable website for example.

http://exploitable-web.com/link.php?id=1


when we put a single quote in the end of website we may get an error like.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' at line 1

well this is the first point we can Inject XSS into the website. So this time rather than only the single quote we will Inject this:

' ;<img src=x onerror=prompt(/XSS/)>

The above injection will prompt up a dialog box saying XSS. This one is the basic attack. Now let us see how can we Injection XSS in a better way.

Finding the Vulnerability, Preparing the Injectable query all goes in the Basic SQL injection. Read them to continue.

I suppose you have read them all.

So lets continue with

Injecting XSS into the Query.

Once getting the Number of Column is done and we are ready with our Union Query. Lets assume we have 4 Columns so our Union query will be:

http://exploitable-web.com/link.php?id=1' union select 1,2,3,4--

Lets say the 3rd column gets printed on the webpage as output. So we will inject our XSS payload into it. To make things simple we will encode our payload into hex.

Our XSS injection Payload
<img src=x onerror=confirm(/XSS/)>
Hex Encoded value
0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d282f5853532f293e

Injecting our payload:
http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d282f5853532f293e,4--

The above url will output the our XSS payload into the Website. This one is basic XSS payload, now we are free to do other things using XSS like Cookie stealing, XSS phishing,XSS iFrame Phishing, Chained XSS, Session Hijacking, CSRF attack, XssDdos and other attacks which are to be discussed in Noobz Guide to XSS.

Author : Zenodermus Javanicus
Date : 2014-04-06