creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/performing-second-order-sql-injection/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

88 lines
2.6 KiB
Markdown
Raw Permalink Blame History

# Second-Order SQL Injection - API Reference
## Attack Overview
Second-order SQL injection occurs when user-supplied data is stored in a database and later incorporated into SQL queries without sanitization. Unlike first-order SQLi, the injection payload is not executed at the point of input but at a secondary execution point.
**Attack Flow:**
1. Attacker submits payload via input form (e.g., username registration)
2. Application safely stores the payload in database (parameterized INSERT)
3. Application later retrieves the stored value
4. Stored value is concatenated into a new SQL query without sanitization
5. Injection executes at the secondary query point
## SQL Injection Patterns
| Pattern | Example | Risk |
|---------|---------|------|
| UNION SELECT | `' UNION SELECT password FROM users--` | Data exfiltration |
| Tautology | `' OR 1=1--` | Authentication bypass |
| Stacked queries | `'; DROP TABLE users--` | Data destruction |
| Time-based blind | `'; WAITFOR DELAY '0:0:5'--` | Data extraction |
| Error-based | `' AND CONVERT(int, @@version)--` | Information disclosure |
## Code Sink Patterns (Vulnerable Code)
### Python (dangerous)
```python
cursor.execute(f"SELECT * FROM orders WHERE user='{username}'")
cursor.execute("SELECT * FROM orders WHERE user='%s'" % username)
```
### Python (safe - parameterized)
```python
cursor.execute("SELECT * FROM orders WHERE user=%s", (username,))
```
### PHP (dangerous)
```php
$query = "SELECT * FROM orders WHERE user='" . $username . "'";
```
## Database Dump Format
The agent expects JSON format for database analysis:
```json
{
"users": [
{"id": 1, "username": "admin", "email": "admin@example.com"},
{"id": 2, "username": "' UNION SELECT 1,2,3--", "email": "test@test.com"}
],
"comments": [
{"id": 1, "body": "Normal comment"},
{"id": 2, "body": "'; DROP TABLE users--"}
]
}
```
## Data Flow Tracing
The agent correlates stored payloads with code sinks by matching table/column names referenced in source code queries against tables containing injection payloads.
## Prevention
- Use parameterized queries (prepared statements) everywhere
- Apply output encoding when using stored data in queries
- Implement stored procedure-based data access
- Use an ORM that auto-parameterizes queries
- Validate data on both input AND retrieval from database
## Output Schema
```json
{
"report": "second_order_sql_injection",
"total_findings": 15,
"stored_payloads": 5,
"code_sinks": 8,
"confirmed_attack_paths": 2,
"findings": [{"type": "confirmed_attack_path", "severity": "critical"}]
}
```
## CLI Usage
```bash
python agent.py --db-dump database.json --source /app/src --output report.json
```
Reference in New Issue View Git Blame Copy Permalink