So I was doing(trying) some hacking work and got interested in xss
echo $_GET['cmd'];
Lets assume the above code is my vulnurable site page.single line php code
I tried page?cmd=<script>alert('hi');</script>
which executed an alert dialogue
Now i need to process php. I know the page is already loaded and even if i pass php functions it will be in the source code but it wont execute. Is there a way to get it execute?
UPDATE:
The code i am passing is
<script>alert('Hit');document.write('<?php echo "HI"');</script>
And the "Hi" alert is coming in and the php code is also written but like when you open the source code
<html><head></head>
<body>
<script>
alert('Hit');
document.write('<?php echo "HI"');
</script>
<!--?php echo "HI"; ?-->
</body>
</html>