SQL Injection using XSS

On August 11, 2008, in Concept, SQL Injection, XSS Corner, by Zoiz

It’s been couple of weeks since my last post. I’ve been very busy managing my newly set up company. And I think it’s time to post another (lame) article right here on this very (lame) blog.

After reading “Thousand Ways to SQL Injection“, people started to ask me whether it is possible to launch a SQL injection using XSS? Some of them questioned me about the possiblity of it, some of them don’t even believe it’s possible. And well some of them say that’s gonna happen but don’t know how or never came accross one.

Let’s take a look at the following ‘fictive’ (and lame) scenario of SQL Injection using XSS :

As we know that site abc.com uses GoodGoodCMS_v1.0 as their Content Management System. Mr. Z, the attacker, found out that GoodGoodCMS has a XSS flaw on the admin page. But well there is nothing much to exploit since GoodGoodCMS doesn’t uses Cookies as the authentication method. But Mr. Z did found out that the GoodGoodCMS uses Cookies values in SQL Query without a proper filter.

Guess what? Mr. Z pull a XSS and insert something like this:

<script>document.cookies=”1; UPDATE admin_table SET password=\’yihaa\’ WHERE id=1″;</script>

This is my concept of SQL Injection using XSS. Correct me if I am wrong, and you are very welcome to shout your ideas about this topic here.

Thanks

Zoiz – http://zoiz.web.id

If you enjoyed this article, please consider sharing it!
Digg Delicious Digg

Tagged with:  

4 Responses to “SQL Injection using XSS”

  1. junkiest says:
    August 12, 2008 at 5:32 pm

    huff… i like sql injection.
    lagi sedih aja om, bos slalu minta lebih dari gw.
    hufff…. andai hari tu 32 jam yak. aku pasti bisa kek om zoiz.
    smangat om….
    just try and try.

  2. n0c0py says:
    August 16, 2008 at 12:43 am

    hmm… interesting, but i’m not really understand without any example of PHP script… would u like to show me some script that vulnerable to this?

    would be nice if it really happen, since i only think to do XSS through SQL injection :)

    as far as i know XSS is a client side hackin’ but SQL injection is a server side… i could change SQL injection into XSS successfully, and your post make it reverse… one thing that bother me, is it true to convert XSS into SQL injection or just multiple vulnerabilities at once?

    anyway… kewl post brotha!

    CMIIW

  3. Zoiz says:
    September 1, 2008 at 12:16 pm

    Ehm gini bro kira-kira cara kerjanya :

    The Vulnerable PHP Code :
    $pre = $_COOKIES['preferences'];
    $query = “select colorset, font, etc from templates where id = $pre”; // This is RARE but I believe it exists

  4. n0c0py says:
    September 5, 2008 at 11:04 pm

    thx,, cukup jelas sekarang ;)

    langka bukan berarti tidak ada dan tidak berbahaya,, nice!

    terus berkarya teman,,

Leave a Reply