LabEx
Log InJoin Free

Enumerate Tables from a Specific Database with sqlmap

Beginner
Practice Now

Introduction

In the realm of cybersecurity, understanding database structures is a critical step in assessing the security posture of web applications. SQL injection vulnerabilities can expose sensitive information, and tools like sqlmap are indispensable for automating the discovery and exploitation of such flaws.

This lab focuses on a specific, yet crucial, aspect of sqlmap's capabilities: enumerating tables within a database. After identifying potential SQL injection points and listing available databases, the next logical step is to delve deeper into a specific database to understand its table structure. This knowledge is vital for further exploitation, such as dumping sensitive data from specific tables.

By the end of this lab, you will be proficient in using sqlmap to target a particular database and list all its associated tables, a fundamental skill for any penetration tester or security enthusiast.

Select a Target Database from the Enumerated List

In this step, we will simulate having previously enumerated databases and select one to focus on. In a real-world scenario, you would have already run sqlmap with the --dbs flag to list all available databases. For this lab, we will assume you have identified a database named acuart as your target.

First, let's ensure sqlmap is available. If it's not installed, you can install it using sudo apt update && sudo apt install sqlmap -y.

We will use a known vulnerable URL as our target. For demonstration purposes, we'll use http://testphp.vulnweb.com/listproducts.php?cat=1.

To begin, let's list the databases available on our target. This command will take some time to run as sqlmap performs its checks.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs

You will see output similar to this, listing the databases:

---
[INFO] fetching database names
[INFO] the back-end DBMS is MySQL
...
available databases [X]:
[*] acuart
[*] information_schema
[*] mysql
[*] performance_schema
...

From this list, we will choose acuart for further enumeration.

Use the -D Flag to Specify the Database

In this step, we will learn how to tell sqlmap which specific database we want to interact with. This is achieved using the -D (or --db) flag, followed by the name of the database.

Continuing from the previous step, where we identified acuart as our target database, we will now instruct sqlmap to focus its operations on this particular database.

The general syntax for specifying a database is:

sqlmap -u "TARGET_URL" -D "DATABASE_NAME" [OTHER_FLAGS]

For our lab, we will use acuart as the database name. We are not yet listing tables, just setting the context for sqlmap.

Execute the following command in your terminal:

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --current-db

This command will tell sqlmap to target the acuart database and then attempt to identify the current database it's connected to, confirming our selection. The output will confirm that acuart is the database being targeted.

---
[INFO] fetching current database
...
current database: 'acuart'
...

Use the --tables Flag to List Tables

Now that we have specified the target database using the -D flag, the next logical step is to list the tables within that database. This is where the --tables flag comes into play.

The --tables flag instructs sqlmap to enumerate all tables present in the currently selected database. When combined with the -D flag, it provides a powerful way to map out the structure of a specific database.

The general syntax for listing tables in a specific database is:

sqlmap -u "TARGET_URL" -D "DATABASE_NAME" --tables

For our lab, we will combine the target URL, the acuart database, and the --tables flag.

Execute the following command in your terminal:

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --tables

This command will initiate the process of sqlmap identifying and listing all tables within the acuart database. This operation might take some time depending on the complexity and size of the database.

Execute the Command to Enumerate Tables

In this step, we will execute the full sqlmap command that combines all the flags we've learned so far to enumerate tables from our specific target database.

We will use the target URL http://testphp.vulnweb.com/listproducts.php?cat=1, specify the database acuart using -D acuart, and instruct sqlmap to list its tables using --tables.

Open your terminal and execute the following command:

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --tables

sqlmap will now perform its checks and attempt to retrieve the table names. You will see various [INFO] messages as sqlmap progresses through its tests.

After some time, sqlmap will present a list of tables found within the acuart database. The output will look similar to this:

---
[INFO] fetching tables for database 'acuart'
...
Database: acuart
[X] articles
[X] carts
[X] categories
[X] guestbook
[X] pictures
[X] products
[X] users
...

This output confirms that sqlmap successfully enumerated the tables within the acuart database.

Analyze the Returned List of Table Names

In this final step, we will analyze the output from the previous sqlmap command. Understanding the returned list of table names is crucial for planning subsequent exploitation steps.

When sqlmap successfully enumerates tables, it presents them in a clear, organized list. For the acuart database, you should have seen tables like articles, carts, categories, guestbook, pictures, products, and users.

Each of these table names provides a clue about the data stored within the database. For instance:

  • users: This table is highly likely to contain user credentials (usernames, passwords, emails), which are often a primary target for attackers.
  • products: This table would contain information about the products sold on the website.
  • articles, guestbook, categories: These tables likely hold content-related data.

The presence of a users table is particularly significant, as it often contains sensitive information. In a real penetration test, your next step would typically be to enumerate the columns within the users table (using --columns) and then dump the data from those columns (using --dump).

This lab has equipped you with the fundamental skill of enumerating tables from a specific database using sqlmap, a critical step in any SQL injection assessment.

Summary

In this lab, you have successfully learned how to enumerate tables from a specific database using sqlmap. You started by understanding the importance of selecting a target database, then utilized the -D flag to specify it, and finally employed the --tables flag to list all associated tables.

You executed the complete sqlmap command to perform the enumeration and analyzed the returned list of table names, understanding their potential significance in a security assessment. This skill is a foundational element in the process of identifying and exploiting SQL injection vulnerabilities, allowing you to map out database structures and plan further data extraction.

By mastering this technique, you are now better equipped to navigate and understand the underlying data structures of web applications, a crucial step in any penetration testing engagement.