• Posted by: Eng. Donya Bino
• October 21, 2025

Enumerating Database Files: A Key Step in Web App Penetration Testing

When testing web applications, one of the most revealing steps for a penetration tester or a malicious actor is database file enumeration. It’s that quiet but crucial phase where an attacker tries to locate, identify, and understand the structure of backend databases.

Why? Because once the attacker knows what database exists and where it’s stored, it becomes far easier to plan the next move, whether that’s data extraction, privilege escalation, or persistence.

What Does “Enumerating Database Files” Mean?

Enumeration is about gathering intelligence.
In this context, it means identifying database types (like MySQL, MSSQL, Oracle, or PostgreSQL), configuration files, and physical storage paths.

For example, through directory traversal vulnerabilities, misconfigured servers, or verbose error messages, an attacker might discover something like:

C:\xampp\mysql\data\customerdb\users.frm

/var/lib/mysql/orders.ibd

C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\

These paths reveal both database technology and structure, giving away how the system stores and organizes critical information.

Common Enumeration Techniques

1. Error Message Disclosure
   Web apps sometimes expose database errors that reveal internal paths or configurations.
   Example:

Warning: mysqli_connect(): (HY000/1049): Unknown database 'shopdb' in /var/www/html/config.php

2. SQL Injection Testing
   During SQLi exploitation, an attacker might use payloads to list database names or schemas:

UNION SELECT schema_name FROM information_schema.schemata;

3. Directory Traversal and Backup Discovery
   Some applications leave .bak or .sql files accessible. Example paths attackers try:

/backup/db.sql

/config/db_backup.zip

/data/production.sqlite

4. Default Configuration Files
   Exposed files like wp-config.php, .env, or config.inc.php can leak credentials and database paths.

Why It Matters

For red teamers and penetration testers, database enumeration is about understanding the attack surface.
For defenders, it’s a wake-up call, these files are goldmines for attackers. Once exposed, even a low-level vulnerability can escalate to a full database compromise.

A real-world example: during a pentest on a small e-commerce platform, the tester discovered a misconfigured backup folder containing an unencrypted .sql dump. Within minutes, sensitive customer data, names, emails, and hashed passwords was accessible.

Defensive Best Practices

1. Restrict directory browsing and file access permissions.
2. Use environment variables to store credentials instead of hardcoded files.
3. Sanitize error messages — never expose absolute paths in user-facing output.
4. Regularly review backups and ensure they’re not web-accessible.
5. Run automated scans to detect exposed database or config files.

Database file enumeration might seem like a minor step in a penetration test, but it often leads to major breakthroughs for both attackers and security professionals.
The goal isn’t just to find vulnerabilities but to understand the information trail your system leaves behind.