![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2021\/05\/Second-Order-SQL-Injection-1-1024x573.png\" "\\"Second")
<\/p>\n<\/p>\n
Second Order SQL Injection Attack are those which are not widely discussed. Important to know that these cannot be detected by tools or via scanning. One needs to understand the application logic and flow of the applications to detect this vulnerability. These attacks are based on the logical flaw in the web application so by conducting the Secure\/ Source Code Review<\/a> anyone can a better understanding of the application flows which helps to detect such injection attacks.<\/p>\n Generally, an Injection attacks happen when the developer trusts the input or fails to sanitize user input to build up the query being used in the application. The primary reason or cause for injection vulnerabilities is usually insufficient user input validation.<\/p>\n <\/p>\n To illustrate the vulnerability, let us consider a website that has User login, signup, and password change functionality.<\/p>\n Fig: 1.1: Login Page<\/p>\n In Fig-1.2 there are two users in the database in the \u2018users<\/strong>\u2019 table.<\/p>\n Fig: 1.2: Pre-registration database<\/p>\n Let us consider a new user registers, then login and changes the password. It\u2019s a very common functionality among all dynamic web applications.\u00a0 Firstly, the users are required to either signup or sign in. Here in Fig 1.3 new user sign-up with username \u2018test<\/strong>\u2019 and password \u2018123456<\/strong>\u2019.<\/p>\n Fig: 1.3: New User Registered \u2013 Creating an account<\/p>\n In Fig-1.4 we observe that a \u2018test<\/strong>\u2019 user is created in the database.<\/p>\n Fig: 1.4: Post-registration database<\/p>\n To Perform Second Order SQL Injection an attacker will register with the following username<\/p>\n \u2018test\u2019 —<\/strong>\u2019 and creates the new account.<\/p>\n Fig: 1.5: New User Registered<\/p>\n Fig: 1.6:: User Successfully Registered<\/p>\n In Fig-1.7 we observe that \u2018test\u2019 —<\/strong> \u2019 user is created in the database.<\/p>\n Fig: 1.7: Post-registration database<\/p>\n Now the attacker login with the \u2018test\u2019 —<\/strong>\u2019 account and go to change password functionality and then changes the password.<\/p>\n Fig: 1.8: Login Form<\/p>\n Fig: 1.9: Change Password Functionality<\/p>\n In Fig 1.9 as there is password change functionality, the attacker will change the password from \u201cabc\u201d to \u201chacked\u201d <\/strong>and click on the \u2018Reset\u2019 <\/em>button.<\/p>\n Note that the username is\u00a0\u2018test\u2019 —<\/strong>\u00a0\u2019<\/strong>so below is the query processing in the backend in MySQL to update the password.<\/p>\n UPDATE users SET password=’hacked’<\/p>\n WHERE username=’test’–‘ and password=’abc’<\/p>\n <\/p>\n As the username in WHERE clause is\u00a0\u2018test\u2019 \u2013\u2019<\/strong>,\u00a0 after\u00a0—<\/strong> the query will get discarded and it will consider\u00a0 ‘and password=’abc’<\/strong> as a comment because in MySQL\u00a0—<\/strong>\u00a0is used to start comments<\/a>. So Logically query ends up like: –<\/p>\n UPDATE users\u00a0 SET password=’123′\u00a0 WHERE username=’test’<\/p>\n <\/p>\n The Query results in updating the password for the user\u00a0\u2018<\/strong>test<\/strong>\u2019<\/strong>\u00a0instead of\u00a0\u2018<\/strong>test\u2018 —<\/strong>\u2019<\/strong>. Henceattacker has performed Second-Order SQLInjection<\/em> successfully. For demonstration, we have considered \u2018test<\/strong>\u2019 user but its common most of the websites have users as admin, administrator, etc. It is very easy to guess such usernames and an attacker can perform the attack on such guessable usernames or accounts.<\/p>\n <\/p>\n Post-Exploitation of the attack we can login into the database and check the \u2018users<\/strong>\u2019 table:<\/p>\n We can observe that password of the \u2018test<\/strong>\u2019 user is changed instead of \u2018test\u2019 —<\/strong>\u2019.<\/p>\n Fig: 1.10:\u00a0Successful Second Order SQL Injection<\/p>\n <\/p>\n The success rate of identifying a first-order SQL Injection is common as compared with the second-order SQL injection.<\/p>\n <\/p>\n With the successful exploitation of this vulnerability, a remote user or an attacker can compromise the user account. Any successful attack will result in an impact on CIA (Confidentiality, Integrity, and Availability) of the critical data.<\/p>\n <\/p>\n <\/p>\n <\/p>\n Author,<\/p>\n Mohammed Musharraf Raza<\/strong><\/p>\n Attack & Pentest Team<\/p>\n Varutra Consulting Pvt. Ltd.<\/p>","protected":false},"excerpt":{"rendered":" Second Order SQL Injection Attack: Second Order SQL Injection Attack are those which are not widely discussed. Important to know that these cannot be detected…<\/p>\n","protected":false},"author":4,"featured_media":12272,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[57,272],"tags":[425,424],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\tExploitation Scenario – Second Order SQL Injection with Example:<\/u><\/strong><\/h3>\n
![\"Login](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/Login-Page.png\")
<\/p>\n![\"Pre-registration](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/Pre-registration-database.png\")
<\/p>\n![\"New](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/New-User-Registered-\u2013-Creating-an-account.png\")
<\/p>\n![\"Post-registration](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/Post-registration-database.png\")
<\/p>\n![\"New](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/New-User-Registered.png\")
<\/p>\n![\"User](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/User-Successfully-Registered.png\")
<\/p>\n![\"Post-registration](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/Post-registration-database-2.png\")
<\/p>\n![\"Login](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/Login-Form.png\")
<\/p>\n![\"Change](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/Change-Password-Functionality.png\")
<\/p>\n![\"Successful](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/05\/Successful-Second-Order-SQL-Injection.png\")
<\/p>\nAttack Probability:<\/u><\/strong><\/h3>\n
\n
Impact:<\/u><\/strong><\/h3>\n
Recommendation:<\/u><\/strong><\/h3>\n
\n
References:<\/u><\/strong><\/h3>\n
\n