Hello everyone. In this tutorial I will explain the basic concept of second order code injection.

Ok...lets get started on the basic idea behind second order injection. Second order code injection includes injecting code into a part of the application where it will be processed later. Second order code injection can involve any kind of code injection but, is mostly XSS and sometimes, SQL.

Alright now I'll give you a few examples. We will start with XSS and then go to SQL. Second order XSS usually involves injecting code into server logs, my details page, or messages to the admin. Injecting into the logs is pretty simple and very effective as long as the admin checks the logs periodically. Here are some examples.

Using HTTP
Code:

GET/ </textarea><script>alert("xss")</script>

Injecting into USER Agent.
Code:

user-agent=</textarea><script>alert("xss")</script>

Note: I use burp proxy to change the request and user agent and you can do the same. Just download the Burp Suite from http://portswigger.net/suite/

Both of these end the <textarea> tag and display a alert. Pretty simple but, as you all know you could steal cookies or perform XSRF and make yourself a admin account! The danger of log injection is huge because even if the admin is careful about the links he presses he will still be XSSed when he views the logs.Another cool thing you could do to hide the attack is use an iframe to hide the scripts all together. So that basically covers Log Injection (HTTP Logs) but, you could also try injecting scripts into ftp logs, telnet logs, smtp logs etc. If the logs are viewed in HTML. Now onto injecting into your "my details" page. Usually no one would care if you could XSS your "my details" page because only you can see it but, you could inject some code into your page and send a message to the staff / admins telling them your my details page is messed up and ask them if they could take a look. That way they will view your profile with there admin/moderator account and give you their cookies, priviledges to make new admin accounts, or anything else you needed.... Now I think everyone knows that if a PM system has XSS anyone could own the site so I wont go into that because its essentially the same thing as the other examples.

Now onto SQL. SQL is usually allot harder to find because most people strip the meta-characters needed to perform a attack but, I show you one example anyway. Lets say this site has a self register function and the site comments out all dangerous characters like single quotes, double quotes, and semicolons when received by a user (The filter is an input filter) but, not the output. One attack we could do is registering an account called admin'-- and passwordassword. Then go to the change password feature and change our pass. This will also change the password of the admin because the '-- will stop the query making the username look like admin... Not admin'--. The SQL Query would look something like this.

Code:

UPDATE PASSWORD WHERE USERNAME = 'admin'--' AND PASSWORD='password';

So our username admin'-- is ending the QUERY making the username look like admin and only admin...This allows us to change the admins password.. Cool huh?

These are just a few of the things you can do with Second order injection. Anything that takes data and displays it at a later time could be vulnerable.

Well that is second order code injection explained simply. I will explain some things that could be vulnerable more in depth in later tutorials. Please leave comments and suggestions .