Introduction
In this lab, you will learn how to use sqlmap to enumerate databases on a target server. Database enumeration is a crucial step in the penetration testing process, allowing you to discover the names of databases present on a server that might be vulnerable to SQL injection. sqlmap automates this process, making it efficient and straightforward. We will start by ensuring a successful injection from a previous scan (simulated), then use the --dbs flag to list all databases, execute the command, interpret the results, and finally differentiate between system and user databases.
Confirm a Successful Injection from a Previous Scan
In this step, we will simulate confirming a successful SQL injection from a previous scan. Before enumerating databases, it's essential to ensure that the target URL is indeed vulnerable to SQL injection and that sqlmap can successfully exploit it. For the purpose of this lab, we will assume a previous scan has identified a vulnerable URL. We will use a placeholder URL to demonstrate the sqlmap command structure.
Open your terminal in the ~/project directory.
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --banner
This command uses sqlmap to connect to the specified URL and attempts to retrieve the database banner. A successful banner retrieval indicates a successful injection.
Example output:
_
___ ___ ___ ___
|_ -| . | . | . |
|___|_ |_ |_ |
|_| |_| |_| 3.7-1#stable
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. You are responsible for your own actions.
[!] do you want to enable full support for HTTP(S) proxy? [y/N] N
[!] do you want to resume the previous session? [Y/n/q] n
... (truncated output) ...
web server operating system: Linux Debian
web application technology: Apache 2.2.14, PHP 5.3.2
back-end DBMS: MySQL >= 5.0.12
banner: '5.1.73-0ubuntu0.10.04.1'
The banner line in the output confirms that sqlmap was able to successfully interact with the database and retrieve its version information, indicating a successful injection.
Use the --dbs Flag to List All Databases
In this step, we will learn about the --dbs flag in sqlmap, which is specifically used to enumerate and list all available databases on the target server. This flag is essential for discovering the names of databases that might contain sensitive information.
The --dbs flag tells sqlmap to perform a database enumeration. When sqlmap successfully exploits a SQL injection vulnerability, it can then query the database server for a list of all databases it hosts.
The command structure will be similar to the previous step, but with the addition of --dbs:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs
This command will instruct sqlmap to identify and list all databases accessible through the SQL injection vulnerability at the given URL.
Execute the Database Enumeration Command
In this step, we will execute the sqlmap command with the --dbs flag to enumerate the databases. This is the core action of this lab.
Execute the following command in your terminal:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs
sqlmap will now perform its tests and, if successful, will output a list of database names. This process might take some time as sqlmap performs various injection techniques.
Example output:
_
___ ___ ___ ___
|_ -| . | . | . |
|___|_ |_ |_ |
|_| |_| |_| 3.7-1#stable
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. You are responsible for your own actions.
[!] do you want to enable full support for HTTP(S) proxy? [y/N] N
[!] do you want to resume the previous session? [Y/n/q] n
... (truncated output) ...
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] acuart
The output shows sqlmap's progress and, eventually, a list of "available databases". In this example, information_schema, mysql, performance_schema, and acuart are listed.
Interpret the List of Returned Database Names
In this step, we will interpret the list of database names returned by sqlmap. Understanding what these names represent is crucial for further penetration testing steps.
From the previous step's output, you might have seen a list similar to this:
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] acuart
Each [*] item represents a database found on the target server.
information_schema: This is a standard database in MySQL (and other SQL databases) that provides access to database metadata. It contains information about all other databases, tables, columns, and access privileges. It's a system database.mysql: This is another standard system database in MySQL that stores information required for the MySQL server to operate. It contains user accounts, privileges, and other server configuration data.performance_schema: This is a system database in MySQL used for monitoring MySQL server execution at a low level. It provides insights into server performance.acuart: This database name is likely a user-created database, specific to the web application running on the server. This is often the database that contains the application's data, such as user credentials, product information, or other sensitive business data.
Identifying user-created databases like acuart is often the primary goal, as these are more likely to contain valuable information for an attacker.
Differentiate System Databases from User Databases
In this final step, we will explicitly differentiate between system databases and user databases based on the enumeration results. This distinction is important for prioritizing your next steps in a penetration test.
As observed in the previous step, databases like information_schema, mysql, and performance_schema are typically system-level databases. They are part of the database management system's core functionality and usually contain metadata, user accounts for the DBMS itself, and performance statistics. While they can sometimes be exploited, they rarely contain the application-specific sensitive data that attackers are often looking for.
On the other hand, databases with names that are not standard system names (e.g., acuart in our example, or webapp_db, users, products, etc.) are usually user-created databases. These databases store the actual data of the web application, such as:
- User credentials (usernames, hashed passwords)
- Customer information
- Product catalogs
- Financial records
- Other proprietary business data
When performing a penetration test, after enumerating databases, your focus should shift to these user-created databases. The next logical step would be to enumerate tables within these user databases, then columns within those tables, and finally, dump the data.
By understanding this distinction, you can efficiently target your subsequent sqlmap commands to extract the most valuable information. For instance, to enumerate tables in the acuart database, you would use a command like:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --tables
This command demonstrates how you would proceed to the next stage of data extraction, focusing on the identified user database.
Summary
In this lab, you have successfully learned how to enumerate databases on a target server using sqlmap. You started by understanding the importance of confirming a successful SQL injection. Then, you used the --dbs flag to list all available databases and executed the command to see the results. Finally, you learned to interpret the returned database names, distinguishing between system databases and potentially more valuable user-created databases. This skill is fundamental for any penetration tester looking to extract information from vulnerable web applications.
