Using Alternative Channels

This topic is four separate alternative channels

for blind SQL injection. The basic idea is to
package the results of an SQL query in such a
way that they can be carried back to the
attacker using one of the three alternative
channels.

Database Connections

 The first alternative channel is specific to Microsoft SQL

Server and permits an attacker to create a connection from
the victims database to the attackers database and carry
query data over the connection.
This is accomplished using the OPENROWSET command
and can be an attackers best friend where available.
For this attack to work the victim database must be able to
open a Transmission Control Protocol (TCP) connection to
the attackers database on the default port 1433

 A typical way to call OPENROWSET is as

follows:

 We can also use OPENROWSET to transmit

data to a foreign database using an INSERT
statement:

DNS Exfiltration

 DNS has been used both as a marker to find

SQL injection vulnerabilities and as a channel
on which to carry data.

 SQL Server and Oracle both have the ability to

directly or indirectly cause a DNS request to
be made. Under Oracle, this is possible with
the UTL_INADDR package, which has an
explicit GET_HOST_ADDRESS function to look
up forward entries and a GET_HOST_NAME
function to look up reverse entries:

 The next example shows how you can extract

the database login via an insertion into a
predicate:

E-mail Exfiltration

 Quite similarly to DNS, e-mails sent using

Simple Mail Transfer Protocol (SMTP) do not
require a direct connection between the
sender and recipient.

 Using an intermediate network of mail

transfer agents (MTAs), essentially e-mail
servers, carries the e-mail on the senders
behalf.

HTTP Exfiltration

 Is available in databases that provide

functionality for querying external Web
servers and is useable in installations where
the database machine has network-layer
permission to access Web resources
controlled by the attacker.

 SQL Server and MySQL do not have default

mechanisms for constructing HTTP requests.
Oracle has an explicit function and object type
by which HTTP requests can be made,
provided by the UTL_HTTP or HTTPURITYPE
package.

 Both methods are granted to PUBLIC, so any

database user can execute them.
Usage of the functions/object types is as
follows:

 You can combine this with a blind SQL

injection vulnerability to form exploits that
combine the data you wish to extract with a
request to a Web server you control using
string concatenation:

 REQUEST function supports HTTPS requests

which could aid in hiding outgoing Web traffic.
The role of UTL_HTTP/HTTPURITYPE is often
underestimated.
It is possible to download an entire table with
this function by using the proper SQL
statement.

 Here all usernames and passwords are sent to

the attackers access log.