Abstract: With the environment of new Web technologies, three kinds of second-order SQL injection techniques were proposed: blind second-order SQL injection, second-order SQL injection attacks the operating system and client second-order SQL injection. Experiments show that second-order SQL injection vulnerabilities exist widely in Web applications, and the proposed new second-order injection techniques can effectively commit attacks both server and client.

Key words: SQL; second order SQL injection; blind injection; attack payload