Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: sql injection for MS Access

from [ray bradbury fan] Network Security [Permanent Link]
Subject: Re: sql injection for MS Access
Date: Tue, 30 Aug 2005 14:06:18 +0200 
That is true, but it can be accessible, depending on the way the
aplication is coded. Take a look at the following C# code...

OleDbConnection conn = new OleDbConnection(strConn);
conn.Open();
OleDbDataAdapter odbda = new OleDbDataAdapter("select * from
msysobjects", conn);
odbda.Fill(ds,"prueba");

/*You cannot access this way (bad news, it is the normal way) BUT you
can get the information using this code.*/

OleDbConnection conn = new OleDbConnection(strConn);
conn.Open();
DataTable dtTablas = conn.GetOleDbSchemaTable(OleDbSchemaGuid.Tables,null);

NOTE: Nobody uses the second way, as far as it is only used to get
info about the tables.


2005/8/30, Ofer Maor <ofer.hacktics@gmail.com>:

Hi Robin,

SQL Injection with Access is similar in many ways to SQL Injection with MS
SQL (Microsoft after all... ;)), but it has some very important issues that
need to be noted:

1. Instead of SYSOBJECTS and SYSCOLUMS, Access uses tables called
MSYSOBJECTS and MSYSCOLUMNS
2. By default, the Access MSYSOBJECTS/MSYSCOLUMNS are not accessible to the
appilcation level user accessing the database, making database structure
queries impossible. Note that while it IS possible for the creator of the
database to make these tables readable, you would normally not find them
accessible, making the injection significanly harder.
3. When injecting to Access, you will not be able to chain several commands
together using a semicolon like possible with MS SQL

All in all - these things make Access injection significanly harder to
exploit than SQL Server. If you have detailed error messages, you should do
fine identifying the names of tables and columns by generating a hefty
amount of errors (access is quite descriptive) using HAVING and GROUP BY
statements. However, if you are working blindfoldedly, then it may be very
hard to do anything, unless you can guess names of tables and columns.

Sincerely,


---
Ofer Maor
CTO
Hacktics Ltd.
Mobile: +972-54-6545406
Office: +972-9-9565840
Fax: +972-9-9500047
Web: www.hacktics.com



-----Original Message-----
From: Mailing List [mailto:maillist@freedomsoftware.co.uk]
Sent: Tuesday, August 30, 2005 12:08 AM
To: webappsec@securityfocus.com
Subject: sql injection for MS Access


Can anyone recommend any docs on SQL injection specifically against MS
Access?

There are loads of docs on sql injection techniques against SQL Server and
ones on the technique in general but nothing much out there on actually
attacking Access.

Ta

Robin
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: sql injection for MS Access, Mailing List
Next by Date:  Re: Combatting automated download of dynamic websites?, Javier Fernandez-Sanguino
Previous by Thread:  RE: sql injection for MS Access, Mark Burnett
Indexes:  [Date] [Thread] [Top] [All Lists]