Database Enumeration

In the process of exploiting a database, this step involves studying the database and extracting information out of it.

There are three main methods of enumeration,

  • Union based

  • Error based

  • Inferential

    • Time based

    • Boolean based

There are a few variables in the query that you can use interchangeably to extract the information that you desire,

  • db_name() - To extract the database name

  • username() or user() - To extract the username the database runs under

  • @@servername - To extract the server name

  • host_name() - To extract the host name

In order to be able to extract information, you have to identify a page that takes parameters to fetch data from the database and display it through the response. Let us take for example a page that takes an id and then fetches the relevant row from the database. The response page may display a number of columns that are fetched from that table or errors returned by the db.

Union Based

In union based we use the union function to append the malicious query to the value that we submit.

An important point is that the table may contain more columns than that are fetched and displayed.

Our first step is to determine the number of columns that are present.

No. of Columns

The above SQL query will sort the results by column number denoted at the end. Now, increase this number until you hit an error, indicating the number of columns the table contains.

Determine Column No.

The next step is to identify the column number that are being displayed on the page, since this is important when we try to extract data from the tables.

We assume that the table contains 3 columns and the columns that are displayed will be marked by its respective number.

Once we know the columns that are displayed, we can start including the necessary queries into the column that has maximum space for displaying the results. For e.g if column number 2 are for comments and page allocates space for displaying maximum information, then the extraction queries can be constructed in a way to display the results within this space.

Some of the examples for extracting info related to the database are,

In all the above mentioned queries the malicious query is inserted into an integer field and hence the quote is not closed. If the same were to be applied to a string field, then the query has to start with a quote to close the field.

Error Based

A valid SQL query is encapsulated within an error based query to force an error to be displayed.

The following queries can be used,

Method 2:

This is another method, but slower,

Having & Group by

Having and Group by can be used to perform some basic enumeration of the current database,

Inferential

This method is about inferencing from the queries submitted to the database. Boolean based returns an expected page when true and a different page when false. Time based on the other hand includes a condition to wait for a limited time when true or return immediately when false.

Boolean

Time

PreviousBypass AuthenticationNextCode Execution Via Injection

Last updated

Was this helpful?