What is Second-Order SQL Injection?
When any un-sanitized user inputs are stored directly in the database and this stored data is used to craft another SQL queries, an attacker can modify the intended behavior of the actual query by applying the payload. This situation is called a Second-Order SQL Injection.
How does Second-Order SQL Injection work?
Second-Order SQL Injection requires two queries first one to store the data (payload) and the second one for exploitation. Actually, the first request is not required to be vulnerable to SQL Injection as it is just used to save the payload to the database. The second request which is vulnerable to SQL Injection is using the un-sanitized user input which was saved in the database by the first request. Payload saved by the first request will be reflected in the query of the second request and it will be exploited.
How to exploit Second-Order SQL Injection?
How does Second-Order SQL Injection work?
Second-Order SQL Injection requires two queries first one to store the data (payload) and the second one for exploitation. Actually, the first request is not required to be vulnerable to SQL Injection as it is just used to save the payload to the database. The second request which is vulnerable to SQL Injection is using the un-sanitized user input which was saved in the database by the first request. Payload saved by the first request will be reflected in the query of the second request and it will be exploited.
How to exploit Second-Order SQL Injection?
Let's understand the exploitation by the example of blogs. Let's assume that the blog application allows users to add custom tags for his blog and there is a feature of filtering the blogs from tags. let's see how can this situation can be exploited via Second-Order SQL Injection. Please take a look at following query which is saving the blog:
INSERT INTO blogs (blog_title, blog_body, tag, author_id) VALUES ('Second_Order SQL Injection', 'this is the blog to explain 2nd order SQL Injection', 'myTag');
INSERT INTO blogs (blog_title, blog_body, tag, author_id) VALUES ('Second_Order SQL Injection', 'this is the blog to explain 2nd order SQL Injection', 'myTag');
Let's assume that the following query is used to filter the blogs by tags:
SELECT blog_title from blogs WHERE tag = 'myTag';
SELECT blog_title from blogs WHERE tag = 'myTag';
An attacker can exploit this situation by applying payload to tag name as shown following example:
INSERT INTO blogs (blog_title, blog_body, tag, author_id) VALUES ('Second_Order SQL Injection', 'this is the blog to explain 2nd order SQL Injection', 'myTag' UNION SELECT CONCAT(username,'||',password) FROM user;--')
INSERT INTO blogs (blog_title, blog_body, tag, author_id) VALUES ('Second_Order SQL Injection', 'this is the blog to explain 2nd order SQL Injection', 'myTag' UNION SELECT CONCAT(username,'||',password) FROM user;--')
In the above query, the red-colored text is the payload saved in the tag parameter. [myTag' UNION SELECT CONCAT(username,'||', password) FROM user;--] This payload will be executed by the second request as shown in the following query :
SELECT blog_title from blogs WHERE tag = 'myTag' UNION SELECT CONCAT(username,'||',password) FROM user;--
SELECT blog_title from blogs WHERE tag = 'myTag' UNION SELECT CONCAT(username,'||',password) FROM user;--
As we can see in the example above, we will get the username and password of all users concated by the “||”. We can try to get any information about any table of the database as further exploitation.
To know more about the exploitation of the other types of SQL Injection, please read my next blogs.
0 Comments