Database Enumeration
Last updated
Last updated
SQLMap keeps a list of XML files for all the possible queries it uses:
Usually, after a successful detection of an SQLi vulnerability, we can begin the enumeration of basic details from the database, such as the hostname of the vulnerable target (--hostname
), current user's name (--current-user
), current database name (--current-db
), or password hashes (--passwords
). SQLMap will skip SQLi detection if it has been identified earlier and directly start the DBMS enumeration process.
Enumeration usually starts with the retrieval of the basic information:
Database version banner (switch --banner
)
Current user name (switch --current-user
)
Current database name (switch --current-db
)
Checking if the current user has DBA (administrator) rights (switch --is-dba
)
In most common scenarios, after finding the current database name (i.e. testdb
), the retrieval of table names would be by using the --tables
option and specifying the DB name with -D testdb
, is as follows:
After spotting the table name of interest, retrieval of its content can be done by using the --dump
option and specifying the table name with -T users
, as follows:
When dealing with large tables with many columns and/or rows, we can specify the columns (e.g., only name
and surname
columns) with the -C
option, as follows:
To narrow down the rows based on their ordinal number(s) inside the table, we can specify the rows with the --start
and --stop
options (e.g., start from 2nd up to 3rd entry), as follows:
If there is a requirement to retrieve certain rows based on a known WHERE
condition (e.g. name LIKE 'f%'
), we can use the option --where
, as follows:
Instead of retrieving content per single-table basis, we can retrieve all tables inside the database of interest by skipping the usage of option -T
altogether (e.g. --dump -D testdb
). By simply using the switch --dump
without specifying a table with -T
, all of the current database content will be retrieved. As for the --dump-all
switch, all the content from all the databases will be retrieved.
In such cases, a user is also advised to include the switch --exclude-sysdbs
(e.g. --dump-all --exclude-sysdbs
), which will instruct SQLMap to skip the retrieval of content from system databases, as it is usually of little interest for pentesters.
If we wanted to retrieve the structure of all of the tables so that we can have a complete overview of the database architecture, we could use the switch --schema
:
When dealing with complex database structures with numerous tables and columns, we can search for databases, tables, and columns of interest, by using the --search
option. This option enables us to search for identifier names by using the LIKE
operator. For example, if we are looking for all of the table names containing the keyword user
, we can run SQLMap as follows:
We could also have tried to search for all column names based on a specific keyword (e.g. pass
):
Once we identify a table containing passwords (e.g. master.users
), we can retrieve that table with the -T
option, as previously shown:
We can see in the previous example that SQLMap has automatic password hashes cracking capabilities. Upon retrieving any value that resembles a known hash format, SQLMap prompts us to perform a dictionary-based attack on the found hashes.
Hash cracking attacks are performed in a multi-processing manner, based on the number of cores available on the user's computer. Currently, there is an implemented support for cracking 31 different types of hash algorithms, with an included dictionary containing 1.4 million entries
Apart from user credentials found in DB tables, we can also attempt to dump the content of system tables containing database-specific credentials (e.g., connection credentials). To ease the whole process, SQLMap has a special switch --passwords
designed especially for such a task: