My way to network security — database SQL injection (1)


SQL injection background

The full name of SQL is“Structured query language”It is a kind of language between relational algebra and relational calculus. Its functions include query, manipulation, definition and control. It is a universal and powerful relational database standard language.

It is a kind of query language developed by St. Joseph research experiment of IBM for its relational database management system systemR, and its predecessor is square language.

SQL language structure is simple, powerful, simple and easy to learn, so since IBM launched in 1981, SQL language has been widely used. In SQL language, you don’t need to tell SQL how to access the database, just tell SQL what to do with the database.

My way to network security -- database SQL injection (1)

Vulnerability introduction

SQL injection is such a vulnerability: when our web app inputs SQL statements to the background database for database operation. If the user input parameters are not strictly filtered, then malicious visitors can construct special SQL statements to insert or add to the input parameters of the application (user), and directly send them to the database engine for execution, and directly check or modify the contents of the database system.

SQL injection vulnerability can be said to be one of the most destructive vulnerabilities in enterprise operation, and it is also the most exploited vulnerability at present. To learn how to defend against SQL injection, we must first understand its principle.

If the developers are careless, or lack of programming experience, and do not make necessary legitimacy judgment on the user’s input data or the information carried in the page when writing the code, then the attacker will use this opportunity to submit a database query code, and get some database information according to the results returned by the program.

Vulnerability hazard:

  • It directly causes the data leakage in the database.
  • If the database connection user has high permissions, it may cause malicious visitors to obtain server control.
  • The entry point of many security incidents.

My way to network security -- database SQL injection (1)

Mysql database structure

It’s time to talk about the core principles!
In mysql5.0 and above, for
Easy to manage, defined by defaultinformation_schemaDatabase, used to store database meta information, which has tablesSchemata (database name), tables (table name), columns (column name or field name).And these are the cornerstone of our SQL injection! Oops!

Schemata tableSchema_ The name field is used to store the database name.
Tables tableMedium, table_ Schema and table_ Name is used to store database name and table name respectively
Columns tableMedium, table_ Schema (database name), table_ Name (table name), column_ Name (field name)

function Query statement
inspection of the treasury select schema_name from information_schema.schemata
Look up the table select table_ name from information_ schema.tables where table_ Schema = table name
Check out select column_ name from information_ schema.columns where table_ Name = table name
Look up the data Select library name from table name

Built in Library

Built in Library function
mysql Save account information, permission information, stored procedure, event, time zone and other information.
sys It includes a series of stored procedures, custom functions and views to help us quickly understand the metadata information of the system( Metadata is data about data, such as database name or table name, data type of column, or access right, etc.)
performance_schema Used to collect database server performance parameters
information_schema(we’re going to use) It provides a way to access database metadata. It holds information about all other databases maintained by the MySQL server. Such as database name, database table, table data type and access rights.

Common annotator expressions in MySQL

  1. “Well number”… TA is the number 3 on the keyboard
  2. –Space
  3. /Line middle or multiple lines/
Inline comment: / #! SQL statement/
(only MySQL can recognize it, and it is often used to bypass WAF).

For example, normal injection:
select * from articles where id = id
Use inline annotation injection:
Select * from articles where id = - 1 / *! union*//*! select*/ 1,2,3,4
(it's beyond the outline at present, which will be introduced in the following article.)

I want to say

In fact, these articles are more like my study notes. I share them as the simple knowledge of the students working together,If there is a little bit of starlight on the confused Road, we will summon up the courage to continue to forge ahead.

So that’s all for today ~ the main thing is to sort out the relevant knowledge of SQL injection vulnerability, so as to lay the foundation for the later injection.
In the next article, I will sort out the process knowledge of SQL injection ~ please look forward to it!

If there is any negligence or error in the article, please correct it! Crab crab!

Recommend my introductory database tutorial
Comic book SQL MySQL tutorial link:…
Extraction code: 6f40