WebApp Sec mailing list archives
RE: sql injection for MS Access
From: Mailing List <maillist () freedomsoftware co uk>
Date: Tue, 30 Aug 2005 15:06:56 +0100
Hi You have confirmed what I thought, that it is harder in Access than Sql Server. Are there any features which could allow command execution or other, remote to Access, type things such as directory listings or file creation. It seems ironic that if you go for the cheaper option of Access over Sql Server you are better protected. Robin On Tue, 2005-08-30 at 09:39 +0200, Ofer Maor wrote:
Hi Robin, SQL Injection with Access is similar in many ways to SQL Injection with MS SQL (Microsoft after all... ;)), but it has some very important issues that need to be noted: 1. Instead of SYSOBJECTS and SYSCOLUMS, Access uses tables called MSYSOBJECTS and MSYSCOLUMNS 2. By default, the Access MSYSOBJECTS/MSYSCOLUMNS are not accessible to the appilcation level user accessing the database, making database structure queries impossible. Note that while it IS possible for the creator of the database to make these tables readable, you would normally not find them accessible, making the injection significanly harder. 3. When injecting to Access, you will not be able to chain several commands together using a semicolon like possible with MS SQL All in all - these things make Access injection significanly harder to exploit than SQL Server. If you have detailed error messages, you should do fine identifying the names of tables and columns by generating a hefty amount of errors (access is quite descriptive) using HAVING and GROUP BY statements. However, if you are working blindfoldedly, then it may be very hard to do anything, unless you can guess names of tables and columns. Sincerely, --- Ofer Maor CTO Hacktics Ltd. Mobile: +972-54-6545406 Office: +972-9-9565840 Fax: +972-9-9500047 Web: www.hacktics.com -----Original Message----- From: Mailing List [mailto:maillist () freedomsoftware co uk] Sent: Tuesday, August 30, 2005 12:08 AM To: webappsec () securityfocus com Subject: sql injection for MS Access Can anyone recommend any docs on SQL injection specifically against MS Access? There are loads of docs on sql injection techniques against SQL Server and ones on the technique in general but nothing much out there on actually attacking Access. Ta Robin
Current thread:
- sql injection for MS Access Mailing List (Aug 29)
- RE: sql injection for MS Access Mutallip ABLIMIT (Aug 29)
- RE: sql injection for MS Access Ofer Maor (Aug 30)
- RE: sql injection for MS Access Mailing List (Aug 30)
- RE: sql injection for MS Access Mark Burnett (Aug 30)
- Re: sql injection for MS Access ray bradbury fan (Aug 30)
- RE: sql injection for MS Access Mailing List (Aug 30)