Web applications have to store user data so that, when you login, they can restore your session, settings, etc. Where else would they hold this information but a relational database like SQL? Using SQL, however, increases the attack surface for a web application, and allows us to do a bunch of nasty things once we can inject SQL queries and commands. This section will cover some common techniques to enumerate a target’s SQL server, given we have the ability to inject commands and queries.
Enumerating MySQL databases
The following enumeration techniques also apply to MariaDB.
Get the version of the MySQL server:
select version();Get the current user:
select current_user();Get the databases in the MySQL server:
show databases;Get a list of all table schemas in the MySQL server:
select table_schema from information_schema.tables group by table_schema;Get a list of all tables with a certain table schema:
select table_name from information_schema.tables where table_schema = 'app';Get a list of columns and their data types for a table:
select column_name, data_type from information_schema.columns where table_schema = 'app' and table_name = 'menu';Enumerating Microsoft SQL Server databases
Get the version of the Microsoft SQL server:
select @@version;Get the current user:
select SYSTEM_USER;Get the databases in the Microsoft SQL server:
select name from sys.databases;Get a list of all tables in a database in the Microsoft SQL server:
select * from app.information_schema.tables;Get a list of columns and their data types for a table:
select COLUMN_NAME, DATA_TYPE from app.information_schema.columns where TABLE_NAME = 'menu';Enumerating PostgreSQL databases
PostgreSQL is similar to MySQL, so we’ll just cover some minor differences.
Get the current user:
select current_user();Get the databases in the PostgreSQL server:
select datname from pg_database;Get a list of all tables with a certain table schema:
select table_name from app.information_schema.tables where table_schema = 'public';Get a list of columns and their data types for a table:
select column_name, data_type from app.information_schema.columns where table_name = 'menu';Enumerating Oracle databases
Get the version of the Oracle server:
select * from v$versionGet the current user:
select user from dualGet a list of all schemas in the Oracle server:
select owner from all_tables group by ownerGet a list of all tables matching a schema in the Oracle server:
select table_name from all_tables where owner = 'SYS' order by table_nameGet a list of columns and their data types for a table:
select column_name, data_type from all_tab_columns where table_name = 'MENU'