You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Second-order automation usually fails because the **payload storage request works**, but the **execution request is noisy, stateful, or protected**. When that happens, the following flags are usually more useful than adding more payloads:
84
+
85
+
```bash
86
+
sqlmap -r login.txt -p email \
87
+
--second-req second.txt \
88
+
--csrf-token csrf \
89
+
--csrf-url https://target.tld/profile \
90
+
--csrf-method POST \
91
+
--live-cookies cookies.txt \
92
+
--safe-req keepalive.txt \
93
+
--safe-freq 1 \
94
+
--string "Welcome back" \
95
+
--text-only
96
+
```
97
+
98
+
-`--csrf-token`, `--csrf-url`, `--csrf-method`: Useful when the store or trigger request needs a fresh anti-CSRF token on every attempt.
99
+
-`--live-cookies`: Reload cookies before each request. Useful when a browser/Burp macro is refreshing session state in the background.
100
+
-`--safe-req` and `--safe-freq`: Keep the workflow alive when the application logs you out or invalidates the session after a few failed probes.
101
+
-`--string`, `--not-string`, `--regexp`, `--code`, `--text-only`: Useful when the second-order response contains banners, ads, timestamps, or user-generated junk that makes diffing unstable.
102
+
103
+
## When `--tamper` is not enough
82
104
105
+
`tamper.py` is still the easiest way to **register a payload, log out, log in again, and trigger execution**. However, on modern targets it is often cleaner to move some of the logic to **request/response hooks**:
106
+
107
+
-`--preprocess`: Modify the full HTTP request before it is sent. Useful when a second-order flow needs an extra nonce, an extra parameter, or header normalization.
108
+
-`--postprocess`: Clean the HTTP response before sqlmap compares it. Useful when the second-order sink is wrapped in dynamic HTML and only a small fragment is stable.
109
+
110
+
Example request/response hooks:
111
+
112
+
```python
113
+
#!/usr/bin/env python
114
+
defpreprocess(req):
115
+
if req.data:
116
+
req.data +=b"&preview=1"
117
+
```
83
118
119
+
```python
120
+
#!/usr/bin/env python
121
+
import re
122
+
defpostprocess(page, headers=None, code=None):
123
+
page = re.sub(br"<span>Generated at .*?</span>", b"", page orb"")
124
+
return page, headers, code
125
+
```
126
+
127
+
## Important limitations
128
+
129
+
- Do **not assume** that `--second-req` will replay the same payload inside a `*` placeholder in the second request. If the trigger request also needs the injected value (or a derived version of it), a custom `tamper`, `--preprocess`, or a local proxy is usually required.
130
+
- Do **not rely on**`--eval` for the second request. Official usage documents `--eval` for the primary request flow; if the second request also needs per-attempt mutations, handle them inside your helper scripts instead.
131
+
132
+
This pattern is especially useful when the payload is stored in places such as:
133
+
134
+
- Filenames or image metadata that are queried later
135
+
- Registration/profile fields later consumed by admin panels
136
+
- Sorting/filtering preferences saved server-side and replayed later
137
+
- Workflow state that is only executed after a preview, export, or moderation action
138
+
139
+
## References
140
+
141
+
-[sqlmap official usage wiki](https://github.com/sqlmapproject/sqlmap/wiki/Usage)
142
+
-[Second Order SQLi: Automating with sqlmap](https://jlajara.gitlab.io/Second_order_sqli)
0 commit comments