Second Order SQL Injection - Something Is Hidden Inside
Summary :
Everyone knows what is SQL Injection, but just to give you a brief about SQL Injection, it is a code injection technique that might destroy your database. It usually occurs when you ask user for input, like their username or userid, and instead of a name or id, the user gives you SQL statement that you will unknowingly run on your database.
Example :
In SQL Injection 1=1 is always a true condition. If there is nothing to prevent a user from entering wrong input, a user can enter something like this :
The SQL statement above is valid and will return all the rows from the “Users” table, since OR 1=1 is always a TRUE condition.
In SQL Injection “ “=” ” is also a true condition. For example see the below user login :
A hacker might get access to user names and passwords in a database by simply inserting “ OR “”=” into the user name or password text box.
The code at the server will create a valid SQL statement like this :
The SQL above is valid and will return all rows from the “Users” table, since OR “”=”” is always TRUE.
So this was the basic of SQL Injection. Let’s move to “Second Order SQL Injection”.
What is Second Order SQL Injection ?
Second Order SQL Injection takes place when a web application takes user input from the user and stores that input into the database by escaping all the SQL meta-characters. Now when that input is used by the same application to do a database transaction without escaping that user supplied data is known as Second Order SQL Injection.
In order to perform Second Order SQL Injection attack you should have the knowledge of how an application’s operations are getting performed on the back-end.
In simple terms the exploit scenario will be like, a user is supplying sql statement which is stored by the application. Later that statement is used by the same user on the same web application to perform the attack.
How to find this vulnerability ?
- Go to your target website and try for SQL statement to detect SQL Injection
From the above error you can check that this application is vulnerable to SQL Injection attack, let’s exploit Second Order SQL Injection.
2. Go to Sign Up page and enter SQL Payload, because it will store the user-supplied data
3. Now again come back to the login panel and enter the same payload ‘or’’=’ in Username and password field
4. You’ll be logged in directly
I was logged into some another user’s profile where I found some credentials.
SQL Injection Cheat Sheet : http://www.securityidiots.com/Web-Pentest/SQL-Injection/
Mitigation : (Credits - PortSwigger )
Most effective way to prevent this kind of attacks is to used parameterized queries which are also known as prepared statements. One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks.
