Infinity - SQL Injection - Second Strike
A walkthrough of exploiting Second-Order SQL Injection in an update username feature on Infinity platform. By injecting into an UPDATE query, we escalated privileges from a regular user to admin without needing to know any credentials.
Infinity — SQL Injection: Second Strike
Overview
A walkthrough of exploiting Second-Order SQL Injection in an update username feature on Infinity platform. By injecting into an UPDATE query, we escalated privileges from a regular user to admin without needing to know any credentials.
Vulnerability: Boolean-based SQL Injection
Step 1: Identify the Input Field
Open the challenge and locate the Login form input field register and login :
Step 2: Try to predict backend behavior
first let’s imagine sql query :
1
INSERT INTO users (username, password, is_admin) VALUES ('chosen_name','chosen_password',0);
all new user is_admin=0
Step 3: Try to Predict updata functionality
1
UPDATE users SET username='NEW_USERNAME' WHERE username='CURRENT_USERNAME';
we have access to change user name :
i will try to break sql query and put is_admin=1 : t4t4r1s' , is_admin=1 where username='mustafa'--
t4t4r1s: the new username , : to put new query is_admin=1 : to make our user has admin privilege username: the old username we create account with it
enter update username and wait 120 s
and we got it : 
Key Takeaways
- SQL Injection doesn’t only happen in login or search — any input that touches the database is a target, including profile update features.
- Second-Order SQLi is dangerous because the injection happens at a different point than where the input was entered — harder to detect.
- UPDATE queries can modify more columns than intended — always think about what other fields exist in the same table.
Happy Hacking!