Dailydave mailing list archives
RE: MS Access SQL injection
From: "Matt Fisher" <mfisher () spidynamics com>
Date: Mon, 21 Mar 2005 10:11:39 -0500
AFAIK Access doesn't seem to support multiple statements in the same command, so you can't do anything like "urlblah?parm=blah ; select * from table -- " . I'd be interested in hearing if you do get a * through. I can find *no way* of enumerating columns from Access without just bruting it. But then, I've never had read to system tables. While MSysObjects contains some very interesting items (such as "MSysDB", "Databases" and "Tables") they don't appear queryable even locally, much less through an injection. However if the database has any stored queries or relationships defined, some schema information will be in MSysRelationships and MSysQueries.... That could certainly be a good start. If you can get even one column name in both the webpage's query and your target table, you could probably move on to join statements to get wildcards through. (Disclaimer: Never tried this) - MF
-----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of RaMatkal Sent: Monday, March 21, 2005 3:37 AM To: dailydave () lists immunitysec com Subject: [Dailydave] MS Access SQL injection I am conducting a pen-test on a web app that is vulnerable to SQL injection. The backend database is MS access..... i have managed to get a list of table names using something like the following: select Name, from MSysObjects where Type=1 and Name not like "MSys*" However, I am struggling to find a way to gather a list of column names from each table which would allow me to read any data from the database...... Anybody got any ideas? Thanks in advance... ramatkal () hotmail com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- MS Access SQL injection RaMatkal (Mar 21)
- Re: MS Access SQL injection Andy Norman (Mar 21)
- Re: MS Access SQL injection Andy Norman (Mar 21)
- Re: MS Access SQL injection RaMatkal (Mar 21)
- Re: MS Access SQL injection Peter Busser (Mar 21)
- Re: MS Access SQL injection RaMatkal (Mar 21)
- Re: MS Access SQL injection Andy Norman (Mar 21)
- Re: MS Access SQL injection Andy Norman (Mar 21)
- <Possible follow-ups>
- RE: MS Access SQL injection Thomas Quinlan (Mar 21)
- RE: MS Access SQL injection Matt Fisher (Mar 21)