On a recent capture-the-flag event, I came across a web app that had a somewhat troublesome SQL injection vulnerability. Identifying that the query was vulnerable was easy enough, but fingerprinting the underlying database was troublesome. No matter what I tried to do to find the version or even just identify tables, usernames, etc. using standard MySQL and PostgreSQL queries and tables, I kept getting errors.
Eventually, it occurred to me to try sqlite, which is what it turned out to be. The really frustrating thing was a most of the sql injection references I found didn’t deal with sqlite, and developer tips for finding database metadata focused on using commands in the sqlite command-line tool, rather than SQL queries. Eventually I found a post on stackoverflow that gave me the SQL I needed to find the data I was looking for.
Finding the sqlite version:
Finding tables and columns:
SELECT name FROM sqlite_master WHERE type = ‘table’;