Most often the ODBC connection the web app uses prevents access to the
msysobjects table of the database. Here is what the error generally looks
like:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E09) [Microsoft][ODBC
Microsoft Access Driver] Record(s) cannot be read; no read permission on
'msysobjects'.
The same queries will work for you inside access when fired straight on the
database.
Yes, and column enumeration is not an easy task!
You might want to look over the access file format (MDB) for Jet 3 and Jet4
databases.
Happy Pen-Testing ...
____________________________________________________________________
Jeremy D. Viegas Email: jeremyv@cc.gatech.edu
College of Computing, http://www.cc.gatech.edu/~jeremyv
Tech.
____________________________________________________________________
-----Original Message-----
From: RaMatkal x2 [mailto:ramatkal@hotmail.com]
Sent: Saturday, March 19, 2005 3:34 PM
To: security-basics@securityfocus.com
Subject: MS Access SQL injection column enumeration
I am conducting a pen-test on a web app that is vulnerable to SQL injection.
The backend database is MS access.....
i have managed to get a list of table names using something like the
following:
select Name, from MSysObjects
where Type=1
and Name not like "MSys*";
However, I am struggling to find a way to gather a list of column names from
each table which
would allow me to read any data from the database......
None of the sql injection papers / tutorials seem to have much to say about
Access databases...
Anybody got any ideas?
Thanks in advance...
ramatkal@hotmail.com
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
