Advanced SQL Injection Techniques

Beyond basic, blind, and union-based techniques lie advanced methods for complex scenarios. Out-of-band exfiltration, automated exploitation, and custom scripting enable SQL injection exploitation in challenging environments.

Out-of-Band Exfiltration

When direct data return and timing-based techniques both fail, out-of-band exfiltration provides another option. The strategy uses database functionality to send data to attacker-controlled systems through channels other than the web response.

DNS exfiltration leverages database functions that perform DNS lookups. Concatenating extracted data into DNS queries sends that data to your DNS server. If the database can make DNS queries to arbitrary destinations, you can extract data character by character through captured DNS logs.

HTTP exfiltration uses similar principles through web requests. Database functions that fetch URLs can send extracted data as URL parameters to attacker-controlled web servers. Reviewing access logs reveals the extracted data.

Multiple database platforms support out-of-band channels, but specific functions vary. SQL Server's xp_dirtree and xp_fileexist can trigger SMB and DNS traffic. Oracle's UTL_HTTP package enables HTTP requests. MySQL's LOAD_FILE can sometimes be leveraged for outbound connections.

SQLMap Mastery

SQLMap automates SQL injection detection and exploitation. Understanding its capabilities and options enables effective use while avoiding common mistakes.

Target specification accepts URLs with vulnerable parameters, request files captured from Burp, or custom HTTP request configurations. The tool detects injection points and determines backend database type.

Enumeration options extract database structure and content. Tables, columns, and data can be dumped systematically. The scope can target specific databases or enumerate everything accessible.

Tamper scripts modify payloads to bypass filters. Available scripts encode, obfuscate, or transform payloads. Custom scripts can be written for specific filter bypass scenarios.

Performance tuning affects speed and detectability. Threading controls request rate. Delay options add pauses between requests. Timeout settings handle slow responses.

Custom Exploitation

When tools fail, custom scripts provide flexibility. Understanding underlying techniques enables writing exploitation code for specific scenarios.

Python with the requests library provides a foundation for custom SQL injection scripts. Building extractor functions that iterate through characters, testing conditions, and reconstructing data enables bespoke exploitation.

Error handling and retry logic improve reliability. Database connections drop, requests timeout, and network issues occur. Robust scripts handle these gracefully.

Efficiency optimizations speed extraction. Binary search for characters improves on linear testing. Parallel requests can sometimes accelerate extraction without triggering rate limiting.