for blind SQL injection. The basic idea is to package the results of an SQL query in such a way that they can be carried back to the attacker using one of the three alternative channels.
Database Connections
The first alternative channel is specific to Microsoft SQL
Server and permits an attacker to create a connection from the victims database to the attackers database and carry query data over the connection. This is accomplished using the OPENROWSET command and can be an attackers best friend where available. For this attack to work the victim database must be able to open a Transmission Control Protocol (TCP) connection to the attackers database on the default port 1433
A typical way to call OPENROWSET is as
follows:
We can also use OPENROWSET to transmit
data to a foreign database using an INSERT statement:
DNS Exfiltration
DNS has been used both as a marker to find
SQL injection vulnerabilities and as a channel on which to carry data.
SQL Server and Oracle both have the ability to
directly or indirectly cause a DNS request to be made. Under Oracle, this is possible with the UTL_INADDR package, which has an explicit GET_HOST_ADDRESS function to look up forward entries and a GET_HOST_NAME function to look up reverse entries:
The next example shows how you can extract
the database login via an insertion into a predicate:
E-mail Exfiltration
Quite similarly to DNS, e-mails sent using
Simple Mail Transfer Protocol (SMTP) do not require a direct connection between the sender and recipient.
Using an intermediate network of mail
transfer agents (MTAs), essentially e-mail servers, carries the e-mail on the senders behalf.
HTTP Exfiltration
Is available in databases that provide
functionality for querying external Web servers and is useable in installations where the database machine has network-layer permission to access Web resources controlled by the attacker.
SQL Server and MySQL do not have default
mechanisms for constructing HTTP requests. Oracle has an explicit function and object type by which HTTP requests can be made, provided by the UTL_HTTP or HTTPURITYPE package.
Both methods are granted to PUBLIC, so any
database user can execute them. Usage of the functions/object types is as follows:
You can combine this with a blind SQL
injection vulnerability to form exploits that combine the data you wish to extract with a request to a Web server you control using string concatenation:
REQUEST function supports HTTPS requests
which could aid in hiding outgoing Web traffic. The role of UTL_HTTP/HTTPURITYPE is often underestimated. It is possible to download an entire table with this function by using the proper SQL statement.