SQLi & XSS ATTACK practical demonstration

We guys have attended so many conferences on hacking coming across the terms like phishing,sqli, and now adays XSS.

But what happens there is that we dont get a chance to do it by ourself, so that we see by ourself infact feel it... happening.

So, i thought of wrtitng a small tutorial for xss and sqli which by chance because of a friend i found in same site, so it was easy for me also to give the explanation and as well as demonstration.

First: SQLi :

What is SQLi??

SQli is the sql injection vul. which is due to of poor coding of the website mainly, at that part where we are handling the database querry and not putting the handling condition for error.

What is XSS?

For getting the idea of XSS please refer to my previous post of XSS ANATOMY strucuture.

We are taking the example of website: http://www.lilinet.com/

Proceed as per the step then you will understand how sqli and xss work:

step1:

open the site and go the login panel. Here we will be using sqli vul. i.e.. as most people like to say magic figure ' or 1=1-- . I wont explain here the working and concept behind this, well if u guys want, we will discuss this later.

After this click ok. boom what u guys see, you are inside the panel of some trusted user, actually the user whose user id=1, tht guys profile u vl get access, reasons i vl discuss later on sqli tutorials.

This was basic sqli vulernability.

STEP2:

This was the practical demonstration for the sqli, now we will move forward for the demonstration of xss.

Since we are logged in the the user profile, now to get the demonstration of XSS, go to the member section, and in name section type {u}carter, instead of carter you can type any name. here replace { } of { u} by < >, coz, these are the basic html tags, and even blogs behaviour deponds on this, so to show u the proper syntar i have to write { }, but see the picture , you will get better idea

After entering the name like ur name , and clicking apply changes, what you guys see, that your name has appeared as underlined. This gives us an idea that , basic html tag filtering is not enable on this website.

Lets try by other ways i mean lets try with other html tags:like marquee etc, i have tried all this and trust me it has worked. like try {marquee}Hacked ,,,,,,,,,,,,,,,,,,{/marquee} in the name section, see its effect after clicking on apply changes.

same reason replace { } by < > respectively.

To confirm that its not temprorary change, lets change the section say go to home section , wola.... name has not changed here in my case it is still underlined carter, in your case it will depond on you whatever name you keep.

Thats it , CONGRATULATIONS GUYS YOU GUYS HAVE BEEN ABLE TO HACK ACCOUNT

Go, have fun , play few free games, but dont damage the website because cyber crime law is very strict, and trust me you guys dont wanna to mess with them.

NOTE:

1.This information is only for educational purpose, website admin has been informed of the loop holes, so it might get fixed.

2.This tutorial is only meant for educational purpose, author is not responsible for any illegal use.

IF YOU GUYS LIKE THIS THEN PLEASE TELL ME HERE OR IF YOU GUYS DONT LIKE THEN PLEASE SUGGEST WHAT ELSE COULD BE DONE, I WANNA THIS BLOG MORE INFORMATIVE IN THE FIELD OF CYBER SECURITY.
my e-mail id: s1ayer.icw@gmail.com

some more experiments done on that website......................