Security Basics mailing list archives

Re: Exploiting MS Access with SQL Injections

From: Paul Johnston <paul.johnston () pentest co uk>
Date: Sat, 18 Jun 2011 16:00:11 +0100

Hi,

IIRC, Access doesn't have a way of querying what tables exist from SQL
(like INFORMATION_SCHEMA) - to introspection you have to use separate
ADO calls, which isn't possible from an SQL injection. Also, pre-2003
(or so) Access had functions to run command shells and such. However,
Microsoft locked this down considerably (at least, by default) so you're
much more limited now.

I expect you can theoretically extract all the data in this database,
but you'll need to brute force for table and column names, which isn't
for the faint hearted. It may be that extract just some data (e.g. user
names and passwords) would persuade the coder that this is a serious issue.

Paul


On 11/07/2011 22:01, Stealth wrote:

Alright, so I'm pentesting this box running Windows Server 2003 with
Microsoft Access as the backend database. It interfaces with this DB via
the ColdFusion that the app is programmed with (.cfm). The debug error
messages print out not just the SQL query, but with the surrounding CFM
code as well as a stack trace, and there are SQL injections riddled all
throughout the site.

I've never played with MS Access, but I figured this would be
ridiculously simple. I quickly figured out that it doesn't allow SQL
code to be executed after the end of a statement ";", which took out a
lot of exploits. So I decided to poke around some more, possibly map out
the tables/db's, however almost all of the techniques I knew failed with
strange Syntax errors I wasn't familiar with. Various attempts at
researching possible techniques for MS Access resulted in the server
acting far differently than I was expecting.

I looked into this for a solid 3 hours before deciding to try and see if
I could find assistance with various DB-exploit programs. I pulled out
Sqlmap, and it successfully registered the exploit as a valid injection.
But as soon as I try to pass any flags for pulling information to
Sqlmap, I get various forms of "This doesn't work with Microsoft
Access". The only thing I can get SQLmap to do without crashing is
return the database fingerprint, which I obviously already knew. I'm
thinking this isn't limitations of the program, but that these
techniques just don't work on MS Access.

Anyone have any ideas for how I can progress this exploit? The coder
obviously didn't account for SQL Injection, but I'm thinking there isn't
anything I can really do here. If anyone has any material to
read/techniques to try, I'd be grateful.

Thanks guys

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works,
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



-- 
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Exploiting MS Access with SQL Injections Stealth (Jul 11)
- RE: Exploiting MS Access with SQL Injections Turner, Jeremy (Jul 13)
- Re: Exploiting MS Access with SQL Injections Paul Johnston (Jul 13)
- Message not available
  - Re: Re : Exploiting MS Access with SQL Injections Stealth (Jul 18)