RE: sql injection for MS Access

["Ofer Maor" <ofer.hacktics () gmail com>]

Hi Robin,

SQL Injection with Access is similar in many ways to SQL Injection with MS
SQL (Microsoft after all... ;)), but it has some very important issues that
need to be noted:

1. Instead of SYSOBJECTS and SYSCOLUMS, Access uses tables called
MSYSOBJECTS and MSYSCOLUMNS
2. By default, the Access MSYSOBJECTS/MSYSCOLUMNS are not accessible to the
appilcation level user accessing the database, making database structure
queries impossible. Note that while it IS possible for the creator of the
database to make these tables readable, you would normally not find them
accessible, making the injection significanly harder.
3. When injecting to Access, you will not be able to chain several commands
together using a semicolon like possible with MS SQL

All in all - these things make Access injection significanly harder to
exploit than SQL Server. If you have detailed error messages, you should do
fine identifying the names of tables and columns by generating a hefty
amount of errors (access is quite descriptive) using HAVING and GROUP BY
statements. However, if you are working blindfoldedly, then it may be very
hard to do anything, unless you can guess names of tables and columns.

Sincerely,

 
---
Ofer Maor
CTO
Hacktics Ltd.
Mobile: +972-54-6545406
Office: +972-9-9565840
Fax: +972-9-9500047
Web: www.hacktics.com
 


-----Original Message-----
From: Mailing List [mailto:maillist () freedomsoftware co uk] 
Sent: Tuesday, August 30, 2005 12:08 AM
To: webappsec () securityfocus com
Subject: sql injection for MS Access


Can anyone recommend any docs on SQL injection specifically against MS
Access?

There are loads of docs on sql injection techniques against SQL Server and
ones on the technique in general but nothing much out there on actually
attacking Access.

Ta

Robin