Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2020-07-22 22:00:44 +00:00 committed by gitbook-bot
parent 24704530e2
commit a61d9efa5f
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 10 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
View file

@ -4,23 +4,23 @@
You need to provide:
* The **request** where the **sqlinjection payload** is going to be saved
* The **request** where it can find the **output** of this injection
* The **request** where the **payload** will be **executed**
The request where the SQL injection payload is saved is **indicated as in any other injection in sqlmap**. The request **where sqlmap can read the output** of the injection can be indicated with `--second-url` or with `--second-req` if you need to indicate a complete request.
The request where the SQL injection payload is saved is **indicated as in any other injection in sqlmap**. The request **where sqlmap can read the output/execution** of the injection can be indicated with `--second-url` or with `--second-req` if you need to indicate a complete request from a file.
**Simple second order example:**
```bash
#Get the outout with a GET to a url
#Get the SQL payload execution with a GET to a url
sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"
#Get the ouput sending a custom request from a file
#Get the SQL payload execution sending a custom request from a file
sqlmap -r login.txt -p username --second-req details.txt
```
In several cases **this won't be enough** because you will need to **perform other actions** apart from sending the payload and read a different page.
In several cases **this won't be enough** because you will need to **perform other actions** apart from sending the payload and accessing a different page.
When this is needed you can user a sqlmap tamper. For example the following script will logout, register and login using a cookie.
When this is needed you can use a **sqlmap tamper**. For example the following script will register a new user **using sqlmap payload as email** and logout.
```python
#!/usr/bin/env python
@ -50,14 +50,14 @@ def tamper(payload, **kwargs):
return payload
```
A **SQLMap tamper is always executed before starting a injection with a payload** a**nd it has to return a payload**. In this case we don't care about the payload but we care about sending some requests, so the payload isn't changed.
A **SQLMap tamper is always executed before starting a injection try with a payload** **and it has to return a payload**. In this case we don't care about the payload but we care about sending some requests, so the payload isn't changed.
So, if for some reason we need a more complex flow to exploit the second order SQLinjection like:
So, if for some reason we need a more complex flow to exploit the second order SQL injection like:
* Create an account with the SQLi payload inside the "email" field
* Logout
* Login with that account
* Send a request to execute the SQL injection
* Login with that account \(login.txt\)
* Send a request to execute the SQL injection \(second.txt\)
**This sqlmap line will help:**