RE: Exploiting MS Access with SQL Injections

["Turner, Jeremy" <jturn () retrotech com>]

DLP is a buzz word used by sales people to sell you products when what you really need is nothing more than people who 
know how to properly implement security.  

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stealth
Sent: Monday, July 11, 2011 5:01 PM
To: security-basics () securityfocus com
Subject: Exploiting MS Access with SQL Injections

Alright, so I'm pentesting this box running Windows Server 2003 with Microsoft Access as the backend database. It 
interfaces with this DB via the ColdFusion that the app is programmed with (.cfm). The debug error messages print out 
not just the SQL query, but with the surrounding CFM code as well as a stack trace, and there are SQL injections 
riddled all throughout the site.

I've never played with MS Access, but I figured this would be ridiculously simple. I quickly figured out that it 
doesn't allow SQL code to be executed after the end of a statement ";", which took out a lot of exploits. So I decided 
to poke around some more, possibly map out the tables/db's, however almost all of the techniques I knew failed with 
strange Syntax errors I wasn't familiar with. Various attempts at researching possible techniques for MS Access 
resulted in the server acting far differently than I was expecting.

I looked into this for a solid 3 hours before deciding to try and see if I could find assistance with various 
DB-exploit programs. I pulled out Sqlmap, and it successfully registered the exploit as a valid injection.
But as soon as I try to pass any flags for pulling information to Sqlmap, I get various forms of "This doesn't work 
with Microsoft Access". The only thing I can get SQLmap to do without crashing is return the database fingerprint, 
which I obviously already knew. I'm thinking this isn't limitations of the program, but that these techniques just 
don't work on MS Access.

Anyone have any ideas for how I can progress this exploit? The coder obviously didn't account for SQL Injection, but 
I'm thinking there isn't anything I can really do here. If anyone has any material to read/techniques to try, I'd be 
grateful.

Thanks guys


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------