Enumeration with practical examples from SQLMap

SQLMap – http://sqlmap.sourceforge.net/

SQLMap is an open source and free automatic SQL injection and database takeover tool. I’ve found it extremely usefull for doing blind SQL injection as it is normally extremely tedious work to get it done quickly. However for this article I will only cover the enumeration function.

SQLMap in action

SQLMap in action

Enumeration explained

To quote Wikipedia’s article on enumeration it is described as this:

The broadest and most abstract definition of an enumeration of a set is an exact listing of all of its elements (perhaps with repetition).

Summed up it basically  means you via some exercise, extract all the available data you need from a system of some sort. Examples of this can be:

  • Fetching all available databases, tables and columns from a database. (Which I am going to demonstrate in this article)
  • Figuring out all files in a file system via. i.e. local file disclosure vulnerability.
  • Enumerating the network, figuring out all the networks and associated devices.
  • Identifying user accounts on a system.

The enumeration process is usually present in any penetration test, however it may occur in different phases of the testing. Enumerating the network usually occurs in the discovery phase of the test, and is often directly related to fingerprinting process of a penetration test.

Listing all users on a Windows system with net view

Taken from http://www.aircrack-ng.org/doku.php?id=airodump-ng

Finding all wireless access points with airodump-ng

Enumerating databases with SQLMap

The natural place to start when trying out any tool is the manual, which usually contains good information on how to operate the tool. I strongly encourage you to read the manual before using commands that others have created. It will make sure you know what you are doing and is very good for learning too.

Reading the SQLMap manual under the enumeration topic provides me with the following command line options (as of 11.05.2012):

  • –dbs – List databases
  • –tables – List tables
  • –columns – List columns
  • –users – List users
  • –passwords – List and crack DBMS passwords
  • –roles – List user roles
  • –privileges – List user privileges
  • –dump to dump table entries

There is also a lot of other good information in the manual, so I suggest reading over it if you have more questions about flags and parameters the tool takes.

The vulnerable code

The code we are testing on is a simple PHP script that retrieves records from a database based on the supplied username. This is typical code we see all across the internet, hopefully then with proper sanitation.

Line 3 is the code with the vulnerability. It should be a prepared statement and include proper filtering, preferably a whitelist of allowed input values.

Running SQLMap

With the code running on a webserver we are now ready to launch SQLMap. In this example we are only enumerating the different databases on the server. Look in the manual for more examples.

As the result of this command we can see 4 different database. Information_schema and mysql databases are both default databases in MySQL.


One thing we know for sure is that we can never be 100% secure, and if you ever have to respond to an SQL injection incident. In many cases you can see a cascading effect in the log files as a result of the enumeration however this is not present in this example. Here is output from the log files to show you how it may look like:


[important]This post is inspired by my answer at Security StackExchange, answering the question Testing SQL injection using sqlmap.[/important]