Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: sql injection for MS Access

from [Mailing List] Network Security [Permanent Link]
Subject: RE: sql injection for MS Access
Date: Tue, 30 Aug 2005 15:06:56 +0100 
Hi
You have confirmed what I thought, that it is harder in Access than Sql
Server.

Are there any features which could allow command execution or other,
remote to Access, type things such as directory listings or file
creation.

It seems ironic that if you go for the cheaper option of Access over Sql
Server you are better protected.

Robin

On Tue, 2005-08-30 at 09:39 +0200, Ofer Maor wrote:

Hi Robin,

SQL Injection with Access is similar in many ways to SQL Injection with MS
SQL (Microsoft after all... ;)), but it has some very important issues that
need to be noted:

1. Instead of SYSOBJECTS and SYSCOLUMS, Access uses tables called
MSYSOBJECTS and MSYSCOLUMNS
2. By default, the Access MSYSOBJECTS/MSYSCOLUMNS are not accessible to the
appilcation level user accessing the database, making database structure
queries impossible. Note that while it IS possible for the creator of the
database to make these tables readable, you would normally not find them
accessible, making the injection significanly harder.
3. When injecting to Access, you will not be able to chain several commands
together using a semicolon like possible with MS SQL

All in all - these things make Access injection significanly harder to
exploit than SQL Server. If you have detailed error messages, you should do
fine identifying the names of tables and columns by generating a hefty
amount of errors (access is quite descriptive) using HAVING and GROUP BY
statements. However, if you are working blindfoldedly, then it may be very
hard to do anything, unless you can guess names of tables and columns.

Sincerely,

 
---
Ofer Maor
CTO
Hacktics Ltd.
Mobile: +972-54-6545406
Office: +972-9-9565840
Fax: +972-9-9500047
Web: www.hacktics.com
 


-----Original Message-----
From: Mailing List [mailto:maillist@freedomsoftware.co.uk] 
Sent: Tuesday, August 30, 2005 12:08 AM
To: webappsec@securityfocus.com
Subject: sql injection for MS Access


Can anyone recommend any docs on SQL injection specifically against MS
Access?

There are loads of docs on sql injection techniques against SQL Server and
ones on the technique in general but nothing much out there on actually
attacking Access.

Ta

Robin
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: sql injection for MS Access, Ofer Maor
Next by Date:  Re: sql injection for MS Access, ray bradbury fan
Previous by Thread:  RE: sql injection for MS Access, Ofer Maor
Next by Thread:  RE: sql injection for MS Access, Mark Burnett
Indexes:  [Date] [Thread] [Top] [All Lists]