Penetration Testing mailing list archives

Re: sql injection with MS Access

From: "Kevin Spett" <kspett () spidynamics com>
Date: Wed, 28 Nov 2001 17:46:09 -0800

I am currently testing SQL injection with a web application and MS Access
database. I have some difficulties as I do not knowing the comment

character

for Access Database.


    I'm afraid that you're out of luck.  There is no magical -- character to
work with in MS Access like SQL Server.  You'll have to get around the
syntax error the hard way.  Try sending these strings as parameters to fish
out as much of the sql query as possible:

'
badvalue'
'badvalue
badvalue, badvalue
' OR

Also, here're the MS Access system tables, which you hopefully will have
priveleges to read:
MSysACEs
MSysObjects
MSysQueries
MSysRelationships


Good luck.

Kevin Spett
Resident SQL Injection Ninja
SPI Dynamics, Inc.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

sql injection with MS Access helmut schmidt (Nov 28)
- Re: sql injection with MS Access Kevin Spett (Nov 28)
- Re: sql injection with MS Access Sverre H. Huseby (Nov 28)
- <Possible follow-ups>
- Re: sql injection with MS Access rudi carell (Nov 29)