WebApp Sec mailing list archives
RE: sql injection for MS Access
From: Mark Burnett <mb () xato net>
Date: Tue, 30 Aug 2005 09:32:47 -0600
There are some unique things to play around with when doing SQL injection using MS Access. First of all, any field in an Access SELECT statement can be a built-in or custom function or an entire embedded SELECT statement. So you can SELECT from a collection of SELECT statements. Access also has some inner and outer join capabilities that can make things interesting. At one time, long before SQL injection was well known, you could access the Shell function through a SQL statement. This is basically what RFP did on the MSADC exploit. However, Microsoft since added the SandboxMode restriction that blocks most of the interesting functions (see http://support.microsoft.com/kb/294698). By default this setting is not at its most secure, but it is secure enough to limit serious exposure. Although you cannot chain SQL statements in Access, you can use a UNION to append multiple queries as long as the field data types match. In many ways, Access SQL can be more flexible than other SQL dialects, but you need to understand it well to be able to exploit its quirks. Mark Burnett On Tue, 30 Aug 2005 15:06:56 +0100, Mailing List wrote:
Hi You have confirmed what I thought, that it is harder in Access than Sql Server. Are there any features which could allow command execution or other, remote to Access, type things such as directory listings or file creation. It seems ironic that if you go for the cheaper option of Access over Sql Server you are better protected. Robin On Tue, 2005-08-30 at 09:39 +0200, Ofer Maor wrote:Hi Robin, SQL Injection with Access is similar in many ways to SQL Injection with MS SQL (Microsoft after all... ;)), but it has some very important issues that need to be noted: 1. Instead of SYSOBJECTS and SYSCOLUMS, Access uses tables called MSYSOBJECTS and MSYSCOLUMNS 2. By default, the Access MSYSOBJECTS/MSYSCOLUMNS are not accessible to the appilcation level user accessing the database, making database structure queries impossible. Note that while it IS possible for the creator of the database to make these tables readable, you would normally not find them accessible, making the injection significanly harder. 3. When injecting to Access, you will not be able to chain several commands together using a semicolon like possible with MS SQL All in all - these things make Access injection significanly harder to exploit than SQL Server. If you have detailed error messages, you should do fine identifying the names of tables and columns by generating a hefty amount of errors (access is quite descriptive) using HAVING and GROUP BY statements. However, if you are working blindfoldedly, then it may be very hard to do anything, unless you can guess names of tables and columns. Sincerely, --- Ofer Maor CTO Hacktics Ltd. Mobile: +972-54-6545406 Office: +972-9-9565840 Fax: +972-9-9500047 Web: www.hacktics.com -----Original Message----- From: Mailing List [mailto:maillist () freedomsoftware co uk] Sent: Tuesday, August 30, 2005 12:08 AM To: webappsec () securityfocus com Subject: sql injection for MS Access Can anyone recommend any docs on SQL injection specifically against MS Access? There are loads of docs on sql injection techniques against SQL Server and ones on the technique in general but nothing much out there on actually attacking Access. Ta Robin
Current thread:
- sql injection for MS Access Mailing List (Aug 29)
- RE: sql injection for MS Access Mutallip ABLIMIT (Aug 29)
- RE: sql injection for MS Access Ofer Maor (Aug 30)
- RE: sql injection for MS Access Mailing List (Aug 30)
- RE: sql injection for MS Access Mark Burnett (Aug 30)
- Re: sql injection for MS Access ray bradbury fan (Aug 30)
- RE: sql injection for MS Access Mailing List (Aug 30)