Usually, whenever we are auditing a web application with a poorly programmed backend, we might find SQL Injection vulnerabilities. We will mainly encounter Blind, Error-based or -if we get lucky- Union-based injections. However, it is not quite usual to find an SQLi out-of-band vulnerability.
These do not only rely on a vulnerable application, but also on being able to exfiltrate information from a different band than the website.
The fact that the results are sent through a completely different way, along with the variety of shapes that these may take; makes it quite difficult to use automated tools to exploit these kinds of vulnerabilities. Even so, in situations where the server responses are not stable or are too unreliable, it might be worth trying to exfiltrate information this way.
As an example, lets take a look at an injection found in an audit I performed recently.
This time, the vulnerability was quite weird, as the name of the parameter was sql*** –which shouted injection from miles away- but the website itself wasn’t either returning any errors nor being affected by time-based techniques. Yet, our best friend Burp active scan seemed convinced that an SQLi was going on at that specific parameter.
[Read more…]