0xma Cyber Security Articles




March 13, 2022

Second Order SQL Injection - Example 1

In this tutorial, we will see how to perform a second order SQL injection and read the contents of the database. In a second order SQL injection, the attacker's input is injected into the database and is later used in a SQL query when a user accesses some other functionality of the same application.

The web application is running the snake game. Upon running the game, the scores are saved in the database.

Main page of the web application.

This shows the snake game.

The snake game.

The "Scoreboard" page saves the best 10 scores of the user that is playing the game.

Scoreboard of the game.

The "Global Leaderboard" page displays the top 10 players.

Global Leaderboard of the game.

Now that we have an understanding of the web application, let's go to the profile of the current user.

Clicking on the profile link.

We can see that the name of the user is "0xma".

User profile page.

Let's change it to "0xma'". We add a single quote after the name.

Modifying the username.

After modifying the user name we see that the Scoreboard page shows a SQL syntax error.

SQL syntax error in the Scoreboard page.

There is no effect in the Global Leaderboard page. Our SQL injection technique only affects the Scoreboard page.

Global Leaderboard page.

Now we close our SQL statement statement with "')" and comment out the rest of the SQL statement. The "-- -" means that it will not execute anything that comes after it.

SQL injection by commenting out.

Now that we have commented out the rest of the SQL statement, we can see that the SQL syntax error is gone from the Scoreboard page.

Scoreboard page displays no output.

Next, we use the SQL UNION operator to identify how many columns are displayed in the Scoreboard page and in which sections. This page provides more information about the UNION operator.

SQL UNION injection attack by displaying 1, 2, and 3.

We can see that all three integers (1, 2, and 3) are displayed in the page. It means using SQL injection, we can output the contents of the database in these three different sections.

Scoreboard displays 1, 2, and 3.

This statement prints out the database names (information_schema.tables) and the tables within those databases (table_name).

SQL injection to display table names and database names.

We can see that the "Username" section contains the database names and the "Score" section contains the table names. We are interested in the "db" database which contains the following tables: failed_logins, scoreboard and users.

Scoreboard displays table names and database names.

This outputs the table names in the "Score" section and the column names in those tables in the "Time" section.

SQL injection to display table names and column names.

SQL injection to display table names and column names.

We are interested in the "users" table which contains important user information such as usernames and passwords. In the following screenshot we can see only three column names but there are other columns such as name and password.

Scoreboard displays the table names and column names.

Using the following SQL statement we are extracting three columns (name, email, and password) from the "users" table.

SQL injection to display names, emails, and passwords.

This displays the names, emails and password hashes.

Scoreboard displays the names, emails and password hashes.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.