Skip to content
Ultimate Degree

Second-Order SQL Injection

Instead of attacking immediately (like traditional SQL injection), the malicious input lies dormant in the database until it’s used in a later operation.

Key Concepts

  • Two-Stage Attack:
    • The attacker first injects a payload into the database.
    • The payload is then executed in a later operation.
  • Delayed Execution:
    • The payload is not executed immediately.
    • It’s executed in a later operation.

How It Differs from Traditional SQL Injection

First-Order SQL Injection

-- User input directly causes SQL injection
SELECT * FROM users WHERE username = 'input' OR '1'='1'

Second-Order SQL Injection

-- Stage 1: Data Storage (Safe)
INSERT INTO users (username) VALUES ('malicious_input')


-- Stage 2: Later Usage (Vulnerable)
SELECT * FROM audit_log WHERE user =
    (SELECT username FROM users WHERE id = 1)

Examples

User Registration System

  1. Initial Storage
-- User registers with username: robert'); DROP TABLE users;--
INSERT INTO users (username) VALUES ('robert''); DROP TABLE users;--')
-- Data is properly escaped and stored
  1. Later Usage
-- Application generates a report
SELECT activity FROM logs WHERE user = 'robert'); DROP TABLE users;--'
-- Stored username is used directly, causing SQL injection

User Profile Updates

-- Stage 1: Store username
username = "joe' --"
INSERT INTO users (username) VALUES (?)  -- Parameterized, safe
-- Stage 2: Update profile (vulnerable)
query = "UPDATE users SET email='" + newEmail +
        "' WHERE username='" + stored_username + "'"

Password Change Functionality

-- Stage 1: Store security question
question = "favorite_color') --"
INSERT INTO security_questions (question) VALUES (?) -- Safe
-- Stage 2: Password reset (vulnerable)
query = "SELECT answer FROM security_questions WHERE user_id=" +
        userId + " AND question='" + stored_question + "'"

Why It’s Often Overlooked

  1. False Sense of Security: Developers may assume that data is safe once it’s stored in the database.
  2. Complex Data Flow: The delayed execution makes it harder to trace the source.
  3. Different Components: The injection may occur in a different part of the application than the original input.