Penetration Testing mailing list archives
Re: sql injection with MS Access
From: "Kevin Spett" <kspett () spidynamics com>
Date: Wed, 28 Nov 2001 17:46:09 -0800
I am currently testing SQL injection with a web application and MS Access database. I have some difficulties as I do not knowing the comment
character
for Access Database.
I'm afraid that you're out of luck. There is no magical -- character to work with in MS Access like SQL Server. You'll have to get around the syntax error the hard way. Try sending these strings as parameters to fish out as much of the sql query as possible: ' badvalue' 'badvalue badvalue, badvalue ' OR Also, here're the MS Access system tables, which you hopefully will have priveleges to read: MSysACEs MSysObjects MSysQueries MSysRelationships Good luck. Kevin Spett Resident SQL Injection Ninja SPI Dynamics, Inc. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- sql injection with MS Access helmut schmidt (Nov 28)
- Re: sql injection with MS Access Kevin Spett (Nov 28)
- Re: sql injection with MS Access Sverre H. Huseby (Nov 28)
- <Possible follow-ups>
- Re: sql injection with MS Access rudi carell (Nov 29)