> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credentials/filesystem-search/trick-0129.md).

# Extract Credentials From Sql Dump

***

After gaining initial filesystem access (e.g., via a webshell or reverse shell), search for database backup files. These are commonly found with extensions such as `.sql`, `.dump`, `.sql.gz`, `.sql.zip`, `.tar.gz`, `.bak`, `.zip`, or `.rar`. Common locations to check include directories named `/backup/`, `/backups/`, `/db_backup/`, `/database_backup/`, `/sql/`, `/back/`, `/old/`, `/dump/`, or `/dumps/`. For web applications like WordPress, specific paths such as `wp-content/backups/`, `wp-content/backup/`, or within plugin directories like `wp-content/plugins/plugin-name/backups/` are frequent locations for these files.

These files often contain sensitive data in plain text or easily crackable formats. If you can find a backup file, it will likely contain juicy data, as most backup files are not encrypted or password protected. Such files are frequently generated by database backup tools.

For example, a common method to export table records to an insert script, producing lines like `INSERT INTO table_name (field1, field2) VALUES (value1, value2);`, uses commands such as:

```bash
mysqldump --compact --skip-extended-insert --no-create-info database_name table_name
```

This command exports data for a specific table into individual `INSERT` statements, making the data directly readable within the file. The `--compact` option produces more compact output by suppressing comments, making the dump file smaller and easier to read. By default, `mysqldump` uses the `--extended-insert` option, which combines multiple rows into a single `INSERT` statement like `INSERT INTO` t1 `VALUES (1,'a'),(2,'b');`. However, using `--skip-extended-insert` disables this behavior, resulting in a separate `INSERT` statement for each row, such as `INSERT INTO` t1`VALUES (1,'a'); INSERT INTO`t1 `VALUES (2,'b');`. This format is particularly useful for analysis as each record is on its own line or in its own statement block. The `--no-create-info` option ensures that `CREATE TABLE` statements are not included in the output, leaving primarily the data.

Once a potential dump file is located, read its contents using standard filesystem tools.

```bash
cat /path/to/backup.sql
```

Look for `INSERT INTO` statements within the file, as these typically contain the user data. Manually examine these lines for usernames, email addresses, password hashes, or other credential-related information, similar to the `users.sql` example found at `/var/www/backup/`. Carefully parse the output for relevant tables (like `users` or `accounts`) and extract the data from the `VALUES` clauses.
