Second Order SQL Injection - Something Is Hidden Inside

4 years ago 216
BOOK THIS SPACE FOR AD
ARTICLE AD

Shrey Shah (Jerry)

Image for post

Image for post

Summary :

Everyone knows what is SQL Injection, but just to give you a brief about SQL Injection, it is a code injection technique that might destroy your database. It usually occurs when you ask user for input, like their username or userid, and instead of a name or id, the user gives you SQL statement that you will unknowingly run on your database.

Example :

In SQL Injection 1=1 is always a true condition. If there is nothing to prevent a user from entering wrong input, a user can enter something like this :

Image for post

Image for post

True Condition 1=1

The SQL statement above is valid and will return all the rows from the “Users” table, since OR 1=1 is always a TRUE condition.

In SQL Injection “ “=” ” is also a true condition. For example see the below user login :

Image for post

Image for post

True condition “=”

A hacker might get access to user names and passwords in a database by simply inserting “ OR “”=” into the user name or password text box.

Image for post

Image for post

Password text box

The code at the server will create a valid SQL statement like this :

Image for post

Image for post

Result

The SQL above is valid and will return all rows from the “Users” table, since OR “”=”” is always TRUE.

So this was the basic of SQL Injection. Let’s move to “Second Order SQL Injection”.

What is Second Order SQL Injection ?

Second Order SQL Injection takes place when a web application takes user input from the user and stores that input into the database by escaping all the SQL meta-characters. Now when that input is used by the same application to do a database transaction without escaping that user supplied data is known as Second Order SQL Injection.

Image for post

Image for post

Instance of Second Order SQL Injection

In order to perform Second Order SQL Injection attack you should have the knowledge of how an application’s operations are getting performed on the back-end.

In simple terms the exploit scenario will be like, a user is supplying sql statement which is stored by the application. Later that statement is used by the same user on the same web application to perform the attack.

How to find this vulnerability ?

Go to your target website and try for SQL statement to detect SQL Injection

Image for post

Image for post

SQL OR Condition ‘or’’=’

From the above error you can check that this application is vulnerable to SQL Injection attack, let’s exploit Second Order SQL Injection.

2. Go to Sign Up page and enter SQL Payload, because it will store the user-supplied data

Image for post

Image for post

Entering SQL Payload

3. Now again come back to the login panel and enter the same payload ‘or’’=’ in Username and password field

Image for post

Image for post

Enter Payload ‘or’’=’

4. You’ll be logged in directly

Image for post

Image for post

Logged In

Image for post

Image for post

Some Info

I was logged into some another user’s profile where I found some credentials.

Image for post

Image for post

Credentials

SQL Injection Cheat Sheet : http://www.securityidiots.com/Web-Pentest/SQL-Injection/

Mitigation : (Credits - PortSwigger )

Most effective way to prevent this kind of attacks is to used parameterized queries which are also known as prepared statements. One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks.

Image for post

Image for post

Read Entire Article