MySQL Fingerprinting
| Payload | When to Use | Expected Output | Wrong Output |
|---|---|---|---|
SELECT @@version | When we have full query output | MySQL Version ‘i.e. 10.3.22-MariaDB-1ubuntu1’ | In MSSQL it returns MSSQL version. Error with other DBMS. |
SELECT POW(1,1) | When we only have numeric output | 1 | Error with other DBMS |
SELECT SLEEP(5) | Blind/No Output | Delays page response for 5 seconds and returns 0. | Will not delay response with other DBMS |
To pull data from tables using UNION SELECT, we need to properly form our SELECT queries. To do so, we need the following information:
- List of databases
- List of tables within each database
- List of columns within each table
The table SCHEMATA in the INFORMATION_SCHEMA database contains information about all databases on the server. It is used to obtain database names so we can then query them. The SCHEMA_NAME column contains all the database names currently present.
The TABLES table contains information about all tables throughout the database. This table contains multiple columns, but we are interested in the TABLE_SCHEMA and TABLE_NAME columns. The TABLE_NAME column stores table names, while the TABLE_SCHEMA column points to the database each table belongs to.