Hi Cedric,
By default MS ACCESS will block access to 'MSysObjects'. The DBO will have to
give those rights. Funny thing is that MS ACCESS in a weird way is more a pain
to SQL inject than SQL Server and Oracle.
So the only thing as far as I know that you can do is to guess the user table
name. All is not lost, because if the developer is the same than the one that
designed the database there are fair chances that he will be coherent in the
way he names his web page with the entities in the DB. For example, I found
many times that ModifyUsers.asp will be Users table, ModifyProfile will be
Profile table and so on. Look in the web page source code also.
Since you're French, try to see if the names aren't in french, like
Utilisateur, Usager, administrateur with or without an s. Or tbUsers, tblUsers.
Lastly, if the site web's name is, I don't know... Acme, well you can try
Acme_user, acme_login, etc...
Good luck!
François Larouche
-----Original Message-----
From: Velasco Herrero, Jose Antonio [mailto:joseantonio.velasco@t-systems.es]
Sent: Tuesday, September 27, 2005 5:36 PM
To: Cedric Foll; pen-test@securityfocus.com
Subject: RE: MS SQL, find list of tables
Did you try something like this?
<somethin.asp?page= 'UNION ALL SELECT name FROM sysobjects WHERE xtype='U
AFAIK MSysObjects is not an MS SQL Server table but an Access one.
I hope this helps
Jose
-----Mensaje original-----
De: Cedric Foll [mailto:cedric.foll@ac-rouen.fr]
Enviado el: lunes, 26 de septiembre de 2005 16:01
Para: pen-test@securityfocus.com
Asunto: MS SQL, find list of tables
Hi,
I'm doing a pen test on a IIS/MS SQL box and find a SQL Injection on it
which permit to execute some SQL command on it.
In fact I have a "select" where I can inject an "UNION something".
I'd like to use that in order to get login/passwd in the database.
I can do:
<somethin.asp?page=contact' UNION SELECT * FROM users WHERE '1'='1>
But the table users doesn't exist and I failed to guess an existing
table name :(.
I've tried:
<something.asp?page=contact' UNION SELECT * FROM MSysObjects'>
but I get
----
Microsoft OLE DB Provider for ODBC Drivers error '80040e09'
[Microsoft][ODBC Microsoft Access Driver] Record(s) cannot be read; no
read permission on 'MSysObjects'.
----
Someone has an idea ????
Regards
--
Cedric Foll
Ingénieur Sécurité & Réseaux
Division Informatique, Rectorat de Rouen
"More people are killed every year by pigs than by sharks,
which shows you how good we are at evaluating risk."
Bruce Schneier
--------------------------------------------------------------------------
----
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------------------
-----
--------------------------------------------------------------------------------
INFORMACION IMPORTANTE - IMPORTANT NEWS
--------------------------------------------------------------------------------
A partir del 12 de septiembre de 2005, nuestras oficinas de Avda. Llano
Castellano y Capitán Haya en Madrid, se trasladan a:
As from September 12, 2005, our offices in: Avda. Llano Castellano and Capitán
Haya (Madrid) are moving to a new address:
------ Calle Orduña, 2 - 28034 Madrid ------
Nuestros números de teléfono y de fax así como nuestras direcciones de correo
electrónico permanecen sin cambios.
Our telephone and fax numbers as well as our e-mail addresses remain the same.
----------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
This e-mail may contain confidential or privileged information. Any unauthorised
copying, use or distribution of this information is strictly prohibited. If you
are not the
intended recipient, please notify the sender and destroy this e-mail together
with all of
its content.
--------------------------------------------------------------------------------
Este mensaje electrónico puede contener información confidencial o
privilegiada, por lo
que está completamente prohibida la copia, el uso o la distribución no
autorizada de
dicha información. Si usted no es el destinatario del mensaje, le rogamos que lo
notifique al remitente y que lo destruya junto con todo su contenido.
--------------------------------------------------------------------------------
Aquest missatge electrònic pot contenir informació confidencial o privilegiada
i està
completament prohibida qualsevol còpia, ús o distribució no autoritzada
d'aquesta
informació. Si vostè no és el seu destinatari, si us plau notifiqui-ho al
remitent i
destrueixi el missatge amb tot el seu contingut.
--------------------------------------------------------------------------------
Mezu elektroniko honek informazio konfidentziala edo pribilegiatua eduki dezake.
Erabat debekaturik dago informazio hori baimenik gabe kopiatu, erabili edo
banatzea.
Mezu hau ez bada zuri zuzendua, arren, igortzaileari jakinarazi eta bere
edukiarekin
batera ezaba ezazu.
--------------------------------------------------------------------------------
Esta mensaxe electrónica pode conter información confidencial ou privilexiada e
está
completamente prohibida calquera copia, uso ou distribución non autorizado desta
información. Se vostede non é o seu destinatario, faga o favor de llo notificar
ao
remitente e destrúa a mensaxe e todo o seu contido.
--------------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with it
(herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this
message by any other person is not permitted.
If you are not the named addressee, please send it back immediately to the
sender and delete it. Unauthorized disclosure,
publication, use, dissemination, forwarding, printing or copying of this
message, either in whole or in part, is strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be guaranteed.
Our company shall not be liable for this
message if modified or falsified.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
