diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 5bbe8bad..d8fb8539 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -357,15 +357,60 @@ In short, the result of the first SQL query is used to build the second SQL quer ## Second Order SQL Injection Second Order SQL Injection is a subtype of SQL injection where the malicious SQL payload is primarily stored in the application's database and later executed by a different functionality of the same application. +Unlike first-order SQLi, the injection doesn’t happen right away — it’s **triggered in a separate step**, often in a different part of the application. -```py -username="anything' UNION SELECT Username, Password FROM Users;--" -password="P@ssw0rd" +### ⚙️ How It Works + +1. User submits input that is stored (e.g., during registration or profile update). +2. That input is saved **without validation**. +3. Later, the application retrieves and uses the stored data in a SQL query. +4. If this query is built unsafely, the injection is triggered. + +### Example Scenario + +#### **Step 1: Malicious User Registers** + +```text +Username: attacker' -- +Email: attacker@example.com ``` -Since you are inserting your payload in the database for a later use, any other type of injections can be used UNION, ERROR, BLIND, STACKED, etc. +Stored in DB as: + +```sql +INSERT INTO users (username, email) VALUES ('attacker\' --', 'attacker@example.com'); +``` + +✅ No error yet — payload is saved. + +#### Step 2: Admin Dashboard Later Uses Username + +```python +# Backend code +query = "SELECT * FROM logs WHERE username = '" + user_from_db + "'" +``` + +If `user_from_db = attacker' --`, this becomes: + +```sql +SELECT * FROM logs WHERE username = 'attacker' --' +``` + +🔥 Query is broken → Injection succeeds. + +### Where and How to Test Payloads + +| 🔍 Application Area | 🧪 Field to Inject | 💣 Why It's Vulnerable | ⏱️ When Injection Triggers | +|------------------------|--------------------------|-----------------------------------------------------------|-------------------------------------------| +| User Registration | `username`, `email` | Values stored, reused in logs or admin views | When admin views logs or user profile | +| Profile Update | `display name`, `bio` | Reused in dashboards or internal reporting tools | When data is retrieved by another user | +| Feedback/Contact Forms | `subject`, `message` | Stored in DB, emailed or inserted into analytics queries | When viewed or processed by admin | +| Support Ticket System | `ticket title`, `details`| May be reused in SQL joins, search features | When admin searches or filters tickets | +| Comment Systems | `username`, `comment` | Appears in other queries like moderation tools | When moderator queries by username | + ## Generic WAF Bypass +--- ### White Spaces