1, the default user
User database with a lot of the default installation content. SQL Server uses the infamous "SA" as a database system administrator account, MySQL using the "root" and "Anonymous" user account, Oracle when creating a database is usually created by default SYS, SYSTEM, DBSNMP and OUTLN account, of course this is not all accounts.
Application developers in writing code is usually used one of the built-privilege account to connect to the database, rather than the old need to create a user account features according to the program.
2, additional content
When an attacker exploit SQL injection vulnerability, often try to access the database metadata. Metadata is data contained in the internal database, a database or table such as the name, type, or access data columns. Advantage also applies to the data dictionary and directory systems and other items to represent the information.
MySQL Server (version 5.0 and later) metadata located Information_schema virtual database and can be accessed through the command show databases and show tables. All users have the right to access the MySQL database table, but only to view the table rows with the corresponding user access rights.
Similar principles and MySQL SQL Server, and by Information_schema or system tables (sysobjects, sysindexkeys, sysindexes, syscolumns , systypes , etc.) and the system stored procedure to access metadata. SQL Server 2005 introduces a number called "sys. *" Catalog views, and restrict users to access the object with the appropriate access rights. All SQl Server users have access to the database tables and you can see all the rows in the table, regardless of whether the user has the appropriate access rights to the data table or query.
Oracle provides built-in view of the global hated to access Oracle metadata (ALL_TABLES, ALL_TAB_COLUMNS, etc.). The view lists the properties and objects accessible to the current user. Further, in view of the beginning of the display only the object USER_ current user has (such as columns, a more restricted view metadata); Show all objects in the database to view at the beginning of DBA_. DBA_ metadata function requires a DBA database administrator privileges.
Statement Example
Oracle statement, citing the current user can access all the tables
SELECT OWNER,TABLE_NAME FROM ALL_TABLES ORDER BY TABLE_NAME;
MySQL statement, list all tables and databases accessible to the current user
SELECT table_schema, table_name FROM information_schema.tables;
MS SQL statement using the system include a list of all tables accessible
SELECT name FROM sysobjects WHERE xtype = 'U';
MS SQL statements using catalog views table lists all accessible
SELECT name FROM sys.tables;
3, by inference identification database platform SQL dialect
| platform | Joiner | Line comments | The only default table, variable or function | int char transfer function |
|---|---|---|---|---|
| MS SQL Server | ‘A’+‘B’ | – | @@PACK_RECEIVED | char(0x41) |
| Oracle | ‘A’||'B’ concat(‘A’,‘B’) |
– | BITAND (1, 1) | chr(65) |
| MySQL | ‘A’ 'B’ concat(‘A’,‘B’) |
# – |
CONNECTION_ID() | char(0x41) |
| Access | “A”&“B” | N/A | msysobjects | chr(65) |
| PostgreSQL | ‘A’||‘B’ | – | getpgusername () | chr(65) |
| DB2 | ‘a’ concat ‘b’ | – | sysibm.systables | chr(65) |
