Second Order Injection - SQLMap
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
SQLMap can exploit Second Order SQLis. You need to provide:
The request where the sqlinjection payload is going to be saved
The request where the payload will be executed
The request where the SQL injection payload is saved is indicated as in any other injection in sqlmap. The request where sqlmap can read the output/execution of the injection can be indicated with --second-url
or with --second-req
if you need to indicate a complete request from a file.
Simple second order example:
In several cases this won't be enough because you will need to perform other actions apart from sending the payload and accessing a different page.
When this is needed you can use a sqlmap tamper. For example the following script will register a new user using sqlmap payload as email and logout.
A SQLMap tamper is always executed before starting a injection try with a payload and it has to return a payload. In this case we don't care about the payload but we care about sending some requests, so the payload isn't changed.
So, if for some reason we need a more complex flow to exploit the second order SQL injection like:
Create an account with the SQLi payload inside the "email" field
Logout
Login with that account (login.txt)
Send a request to execute the SQL injection (second.txt)
This sqlmap line will help:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)