SQL Injection: Second Order

Exploiting
Post Reply
User avatar
Cyber Arch
Posts: 58
Joined: Mon Mar 18, 2024 5:57 am

SQL Injection: Second Order

Postby Cyber Arch » Sat Mar 23, 2024 1:21 am

Thocht that escapin' single quotes in a string based user input used fir database transactions wull prevent SQL injections, but this is no always the case when single quotes are escaped inconsistently (as we wull see in this tutorial).

Basically second order SQL injections tak place when yin functionality o' a wab application tak's a user input fae a user, escapes (no strips) aw SQL metacharacters and inserts that data input intae a database. Next, some ither functionality o' the same application uses that data tae craft anither SQL query tae dae a database transaction withoot escapin' that data first (bad idea!). The database transaction done by the second functionality introduces a SQL injection bug in the wab application kent as second order SQL injection.

Here is an easy example; Following are the twa functionalities wi' their respective codes (select.php and insert2.php).

select.php:

Code: Select all

<?php
error_reporting(O);
if(isset($_REQUEST["submit"]))
{
$conn = mysql_connect('localhost', 'root', ' ');
if (!$conn)
    die('Not connected : ' . mysql_error());

$db_selected = mysql_select_db('mysql', $conn);
if (!$db_selected)
    die ('Can''t use mysql : ' . mysql_error());
$sql="select * from datastore where name=' ". addslashes($_POST["name"]) ." ' ";
echo "You ran the sql query=" .$sql."<br/>";
$result = mysql_query($sql,$conn) ;
$row=mysql_fetch_row($result) ;

$sql1="select * from datastore where fname=' ".$row[2] ." ' ";
echo "The web application ran the sql query internally=".$sql1."<br/>";
$result1 = mysql_query($sql1, $conn) ;
$row1=mysql_fetch_row($result1) ;

mysql_close($conn) ;
echo "<br><b><center>Database Output</center></b><br><br>";
echo "<b>$row1[0]</b><br>Age: $row1[1]<br>First Name: $row1[2]<br>Last Name: $row1[3]<br><hr><br>";
}
?>


insert2.php:

Code: Select all

<?php
if(isset($_REQUEST["submit"] ) )
{
$conn = mysql_connect('localhost', 'root', ' ') ;
if (!$conn)
    die('Not connected : ' . mysql_error( ) ) ;

$db_selected = mysql_select_db ('mysql', $conn) ;
if (!$db_selected)
    die ('Can"t use mysql : ' . mysql_error( ) ) ;
$sql_statement="INSERT into datastore (name,age,fname,lname) values (' ".mysql_real_escape_string_($_REQUEST["name"]) ." ' , ".intval ($_REQUEST["age"]). ", ' ".
mysql_real_escape_string($_REQUEST["fname"]) ." ', ' ".mysql_real_escape_string($_REQUEST["1name"] ) ." ' ) ";
echo "You ran the sql query=" .$sql_statement. "<br/>";
$qry = mysql_query ($sql_statement,$conn)  | |  die (mysql_error( ) ) ;
mysql_close($conn) ;
Echo "Data inserted successfully";
}
?>


The first functionality uses the data inserted intae the fname column tae craft a SQL query and get data fae the database and show it on the frontend. The second functionality inserts data intae the database. For making it easy tae understand, aw the SQL queries run by the wab applications are also shown on the frontend.

We can use these codes (examples) through the applications, in order to exploit the vulnerability tae execute an arbitrary query in the database. Similarly, we can use advanced SQL tae gain unauthorized access tae the database.
Top
Post Reply

Return to “Exploits”