Overview
Payload is stored in the database (registration, profile update) and executed later when another feature reads and uses it in a SQL query without sanitization. Input is sanitized on insert but not on retrieval.How It Works
Common Injection Points
| Store Here | Triggers Here |
|---|---|
| Username | Profile page, password reset, admin panel |
| Notification system, search, export | |
| Address | Order processing, invoice generation |
| Comment | Admin review panel, moderation page |
| Filename | File listing, download feature |
Example — Password Reset
Register
Trigger — Change Password
Application runs:newpass.
Example — Profile Update
Register
Trigger
Application displays profile with:Example — Data Exfiltration
Store
Trigger
Appears on admin dashboard, export CSV, or email notification that renders the stored value in a query.Testing Methodology
- Identify all input fields that store data
- Inject payloads in each field (registration, profile, settings)
- Navigate to every feature that reads those fields
- Monitor for SQL errors or unexpected data
- Check admin panels, reports, search, export features
Useful Payloads
SQLmap Second-Order
--second-url = page where stored payload is triggered.
Quick Reference
| Step | Action |
|---|---|
| Store | Inject payload via registration/profile/settings |
| Trigger | Visit page that queries stored data |
| Password reset | Register as admin'-- -, change password |
| SQLmap | --second-url="http://TARGET/trigger-page" |