RE: sql injection for MS Access

[Mark Burnett <mb () xato net>]

There are some unique things to play around with when doing SQL injection using MS Access. First of all, any field in 
an Access SELECT statement can be a built-in or custom function or an entire embedded SELECT statement. So you can 
SELECT from a collection of SELECT statements. Access also has some inner and outer join capabilities that can make 
things interesting. 

At one time, long before SQL injection was well known, you could access the Shell function through a SQL statement. 
This is basically what RFP did on the MSADC exploit. However, Microsoft since added the SandboxMode restriction that 
blocks most of the interesting functions (see http://support.microsoft.com/kb/294698). By default this setting is not 
at its most secure, but it is secure enough to limit serious exposure.

Although you cannot chain SQL statements in Access, you can use a UNION to append multiple queries as long as the field 
data types match.

In many ways, Access SQL can be more flexible than other SQL dialects, but you need to understand it well to be able to 
exploit its quirks.

Mark Burnett








On Tue, 30 Aug 2005 15:06:56 +0100, Mailing List wrote:
>  Hi
>  You have confirmed what I thought, that it is harder in Access than Sql
>  Server.
>  
>  Are there any features which could allow command execution or other,
>  remote to Access, type things such as directory listings or file
>  creation.
>  
>  It seems ironic that if you go for the cheaper option of Access over Sql
>  Server you are better protected.
>  
>  Robin
>  
>  On Tue, 2005-08-30 at 09:39 +0200, Ofer Maor wrote:
> >  Hi Robin,
> >  
> >  SQL Injection with Access is similar in many ways to SQL Injection with MS
> >  SQL (Microsoft after all... ;)), but it has some very important issues that
> >  need to be noted:
> >  
> >  1. Instead of SYSOBJECTS and SYSCOLUMS, Access uses tables called
> >  MSYSOBJECTS and MSYSCOLUMNS
> >  2. By default, the Access MSYSOBJECTS/MSYSCOLUMNS are not accessible to the
> >  appilcation level user accessing the database, making database structure
> >  queries impossible. Note that while it IS possible for the creator of the
> >  database to make these tables readable, you would normally not find them
> >  accessible, making the injection significanly harder.
> >  3. When injecting to Access, you will not be able to chain several commands
> >  together using a semicolon like possible with MS SQL
> >  
> >  All in all - these things make Access injection significanly harder to
> >  exploit than SQL Server. If you have detailed error messages, you should do
> >  fine identifying the names of tables and columns by generating a hefty
> >  amount of errors (access is quite descriptive) using HAVING and GROUP BY
> >  statements. However, if you are working blindfoldedly, then it may be very
> >  hard to do anything, unless you can guess names of tables and columns.
> >  
> >  Sincerely,
> >  
> >  
> >  ---
> >  Ofer Maor
> >  CTO
> >  Hacktics Ltd.
> >  Mobile: +972-54-6545406
> >  Office: +972-9-9565840
> >  Fax: +972-9-9500047
> >  Web: www.hacktics.com
> >  
> >  
> >  -----Original Message-----
> >  From: Mailing List [mailto:maillist () freedomsoftware co uk]
> >  Sent: Tuesday, August 30, 2005 12:08 AM
> >  To: webappsec () securityfocus com
> >  Subject: sql injection for MS Access
> >  
> >  
> >  Can anyone recommend any docs on SQL injection specifically against MS
> >  Access?
> >  
> >  There are loads of docs on sql injection techniques against SQL Server and
> >  ones on the technique in general but nothing much out there on actually
> >  attacking Access.
> >  
> >  Ta
> >  
> >  Robin