Second Order SQL Injection - Something Is Hidden Inside

Image for post
Image for post

Summary :

Everyone knows what is SQL Injection, but just to give you a brief about SQL Injection, it is a code injection technique that might destroy your database. It usually occurs when you ask user for input, like their username or userid, and instead of a name or id, the user gives you SQL statement that you will unknowingly run on your database.

Example :

In SQL Injection 1=1 is always a true condition. If there is nothing to prevent a user from entering wrong input, a user can enter something like this :

Image for post
Image for post
True Condition 1=1

The SQL statement above is valid and will return all the rows from the “Users” table, since OR 1=1 is always a TRUE condition.

In SQL Injection “ “=” ” is also a true condition. For example see the below user login :

True condition “=”

A hacker might get access to user names and passwords in a database by simply inserting “ OR “”=” into the user name or password text box.

Image for post
Image for post
Password text box

The code at the server will create a valid SQL statement like this :

Image for post
Image for post
Result

The SQL above is valid and will return all rows from the “Users” table, since OR “”=”” is always TRUE.

So this was the basic of SQL Injection. Let’s move to “Second Order SQL Injection”.

What is Second Order SQL Injection ?

Second Order SQL Injection takes place when a web application takes user input from the user and stores that input into the database by escaping all the SQL meta-characters. Now when that input is used by the same application to do a database transaction without escaping that user supplied data is known as Second Order SQL Injection.

Image for post
Image for post
Instance of Second Order SQL Injection

In order to perform Second Order SQL Injection attack you should have the knowledge of how an application’s operations are getting performed on the back-end.

In simple terms the exploit scenario will be like, a user is supplying sql statement which is stored by the application. Later that statement is used by the same user on the same web application to perform the attack.

How to find this vulnerability ?

  1. Go to your target website and try for SQL statement to detect SQL Injection
Image for post
Image for post
SQL OR Condition ‘or’’=’

From the above error you can check that this application is vulnerable to SQL Injection attack, let’s exploit Second Order SQL Injection.

2. Go to Sign Up page and enter SQL Payload, because it will store the user-supplied data

Image for post
Image for post
Entering SQL Payload

3. Now again come back to the login panel and enter the same payload ‘or’’=’ in Username and password field

Image for post
Image for post
Enter Payload ‘or’’=’

4. You’ll be logged in directly

Image for post
Image for post
Logged In
Image for post
Image for post
Some Info

I was logged into some another user’s profile where I found some credentials.

Image for post
Image for post
Credentials

SQL Injection Cheat Sheet : http://www.securityidiots.com/Web-Pentest/SQL-Injection/

Mitigation : (Credits - PortSwigger )

Most effective way to prevent this kind of attacks is to used parameterized queries which are also known as prepared statements. One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks.

Image for post
Image for post

Written by

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store