Out-of-Band (OOB) SQL Injection

Lee Chun How
Dec 10, 2019 · 5 min read

Out-of-Band (OOB) SQL Injection is not a new attack and the discussion is started a few years ago. Purpose of the write-up is sharing and summarize findings during research. For detailed discussion of the research may refers to paper which is published at Academia and Zenodo. Related queries discussed in the paper may refer to the GitHub.

Compared with In-Band and Blind SQL Injection, OOB SQL injection exfiltrate data through outbound channel, can be either DNS or HTTP protocol. The capability of a database system to initiate outbound DNS or HTTP request may need to rely on the function available. The function can be either file operation function (for instance: load_file(), master..xp_dirtree) or establish connection function (for instance: DBMS_LDAP.INIT, UTL_HTTP.request). To exploiting OOB SQL injection, the targeted web and database servers should fulfill the following conditions:

  1. Lack of input validation on web application
  2. Network environment to allow targeted database server to initiate outbound request (either DNS or HTTP) to public without restriction of security perimeters
  3. Sufficient privileges to execute the necessary function to initiate outbound request

The following figure illustrates the flow of OOB SQL Injection. In this write-up, Burp Collaborator server is used to listening and capturing outbound request initiated from the database system. Burp Collaborator server is one of component of Burp Suite Enterprise with unique FQDN which sits on cloud for purpose to receive any outbound request pointed to the server.

Image for post
Image for post

DNS based exfiltration:

The following is a sample of query for DNS based exfiltration for MariaDB, one of the fork of MySQL database. For discussion of Microsoft SQL database, PostgreSQL database and Oracle database, may refer to the paper aforementioned. The query is used to exfiltrate database version, username, and password from MariaDB. load_file() function is used to initiate outbound DNS request and period (.) as delimiter to organize the display of captured data.

Image for post
Image for post

DNS outbound requests of MariaDB that are captured by Burp Collaborator server are shown as following:

Image for post
Image for post

HTTP Based Exfiltration:

Oracle database is used to demonstrate HTTP based exfiltration by using UTL_HTTP.request function. The following shows the sample query used to exfiltrate database version, current username and hashed password from the database. The purpose of UTL_HTTP.request() function is trigger HTTP request of database system. String version, user and hashpass are used to organize the captured data and made it looks like parameters of HTTP request.

Image for post
Image for post

The following shows the HTTP request captured by Burp Collaborator server:

Image for post
Image for post

Advanced OOB SQL Injection

Domain and subdomain names have their specifications and format. Maximum 63 characters for each of subdomains and in total 253 characters are allowed for full domain name. Besides that, domain name is only allowed letters, numbers, and hyphen(-). The specifications and format become limitations of data exfiltration by using DNS channel. Fragmentation and encoding are two methods can be used to overcome the limitations.

The following is a sample query with combination of fragmentation and encoding methods for exfiltration of Microsoft SQL database. SUBSTRING function is used to split the extracted raw data into two and base64 is used to encode the fragmented data before send to Burp Collaborator server.

Image for post
Image for post

The following figures show encoded fragmented data that are captured by Burp Collaborator server.

Image for post
Image for post
Image for post
Image for post

Captured fragmented data need to be merged in sequence before decoding. The following shows the edition of Microsoft SQL server after base64 decoding.

A combination of HTTP and DNS based exfiltration methods may produce chaining of SQL injection. In the section below, both Oracle database and MariaDB are used to demonstrate the chaining and the flow of the chain is shown as following:

Image for post
Image for post

The following is a sample query of the chaining. Inner part of the query is used to trigger DNS outbound request of MariaDB and the outer part is used to trigger HTTP outbound request of Oracle DB.

Image for post
Image for post

The following shows the captured data from MariaDB at the end of chaining.

Image for post
Image for post

Recommendation

  1. Input validation on both client and server-side
  2. Proper error handling to avoid displaying detailed error information
  3. Review network and security architecture design
  4. Assign database account to application based on least privilege principle
  5. Implementation of security control like Web Application Firewall (WAF) and Intrusion Prevention System (IPS) as additional control
  6. Continuous monitoring for anomaly and proper incident response processes as safety net of the controls

References:

https://www.notsosecure.com/oob-exploitation-cheatsheet

https://www.owasp.org/index.php/SQL_Injection

https://www.acunetix.com/websitesecurity/sql-injection2

https://portswigger.net/burp/documentation/desktop/tools/collaborator-client

SQL Injection Attacks and Defense by Justin Clarke(2012)

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Lee Chun How

Written by

cout << “Gabriel Lee ” << “Cyber Security Enthusiast” << ”Security Consultant ” << “Penetration Testing “ << endl;

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Lee Chun How

Written by

cout << “Gabriel Lee ” << “Cyber Security Enthusiast” << ”Security Consultant ” << “Penetration Testing “ << endl;

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store