Penetration Testing mailing list archives

Re: sql injection with MS Access

From: "Sverre H. Huseby" <shh () thathost com>
Date: Wed, 28 Nov 2001 23:59:07 +0100

[helmut schmidt]

|   In MSSQL I will terminate with -- but this does not work in MS
|   Access. Can someone confirm that SQL injection is feasible with MS
|   Access database and what is the correct comment character to use.

I have no idea about the comment character(s) (if any) in Access, but
I just want to point out that you can accomplish several things
without commenting out parts of the SQL.  Example (using boolean
operator priority rules) follows:

Let's say the program contains the following SQL to do login of users
(untested):

  "SELECT * FROM user WHERE name='" & name & "' AND pwd='" & pwd & "'"

If you know there is a user "john" on the system, you could normally
log in without a password using the following (no password):

  name:  john' --
  pwd:

If you don't know the comment character(s), you can abuse the fact
that boolean operators have priority rules that say that AND should be
performed before OR.  Try the following (no password again):

  name:  john' OR 'a'='a
  pwd:

The following would be sent to the database:

  SELECT * FROM user WHERE name='john' OR 'a'='a' AND pwd=''
                                 ---------------

Now the database would perform the AND part first.  This part fails no
matter what expression you insert, as the password does not match.
That doesn't matter, as the only requirements for an OR to succeed is
that at least one of the operands evaluates to TRUE.  The name part
will be true for an existing user, and you have thus gained access
without a password and without comment character(s).


Sverre.

-- 
shh () thathost com                     Play my free Nerd Quiz at
http://shh.thathost.com/                http://nerdquiz.thathost.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

sql injection with MS Access helmut schmidt (Nov 28)
- Re: sql injection with MS Access Kevin Spett (Nov 28)
- Re: sql injection with MS Access Sverre H. Huseby (Nov 28)
- <Possible follow-ups>
- Re: sql injection with MS Access rudi carell (Nov 29)