Monday, May 7, 2012

SQLinjection with XSS

My report in tomorrow. If you find SQL injection, with union stament, you can force web application print result. Ex: union 1,2,3,4,5 -> You can see 2 3 4 5 number. Replace 2 with 'namhb', you can see namhb. So, you can exploit XSS in SQL injection.
Now, you can insert javascript, instead: alert(/namhb/) (in script tag). Buzz, new dialog.
Finish, have got many script, you can use sqli,js.
See demo:


------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

No comments:

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...