RE: MS Access SQL injection column enumeration

["Jeremy Viegas" <jeremy.viegas () gmail com>]

Most often the ODBC connection the web app uses prevents access to the
msysobjects table of the database. Here is what the error generally looks
like:

Microsoft OLE DB Provider for ODBC Drivers (0x80040E09) [Microsoft][ODBC
Microsoft Access Driver] Record(s) cannot be read; no read permission on
'msysobjects'.

The same queries will work for you inside access when fired straight on the
database.

Yes, and column enumeration is not an easy task!

You might want to look over the access file format (MDB) for Jet 3 and Jet4
databases.

Happy Pen-Testing ...
____________________________________________________________________

Jeremy D. Viegas                  Email:  jeremyv () cc gatech edu   
College of Computing,             http://www.cc.gatech.edu/~jeremyv
Tech.
____________________________________________________________________

-----Original Message-----
From: RaMatkal x2 [mailto:ramatkal () hotmail com] 
Sent: Saturday, March 19, 2005 3:34 PM
To: security-basics () securityfocus com
Subject: MS Access SQL injection column enumeration

I am conducting a pen-test on a web app that is vulnerable to SQL injection.

The backend database is MS access.....

i have managed to get a list of table names using something like the 
following:

select Name, from MSysObjects
where  Type=1
  and  Name not like "MSys*";

However, I am struggling to find a way to gather a list of column names from

each table which
would allow me to read any data from the database......
None of the sql injection papers / tutorials seem to have much to say about 
Access databases...

Anybody got any ideas?

Thanks in advance...
ramatkal () hotmail com

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/