There are some unique things to play around with when doing SQL injection using
MS Access. First of all, any field in an Access SELECT statement can be a
built-in or custom function or an entire embedded SELECT statement. So you can
SELECT from a collection of SELECT statements. Access also has some inner and
outer join capabilities that can make things interesting.
At one time, long before SQL injection was well known, you could access the
Shell function through a SQL statement. This is basically what RFP did on the
MSADC exploit. However, Microsoft since added the SandboxMode restriction that
blocks most of the interesting functions (see
http://support.microsoft.com/kb/294698). By default this setting is not at its
most secure, but it is secure enough to limit serious exposure.
Although you cannot chain SQL statements in Access, you can use a UNION to
append multiple queries as long as the field data types match.
In many ways, Access SQL can be more flexible than other SQL dialects, but you
need to understand it well to be able to exploit its quirks.
Mark Burnett
On Tue, 30 Aug 2005 15:06:56 +0100, Mailing List wrote:
Hi
You have confirmed what I thought, that it is harder in Access than Sql
Server.
Are there any features which could allow command execution or other,
remote to Access, type things such as directory listings or file
creation.
It seems ironic that if you go for the cheaper option of Access over Sql
Server you are better protected.
Robin
On Tue, 2005-08-30 at 09:39 +0200, Ofer Maor wrote:
Hi Robin,
SQL Injection with Access is similar in many ways to SQL Injection with MS
SQL (Microsoft after all... ;)), but it has some very important issues that
need to be noted:
1. Instead of SYSOBJECTS and SYSCOLUMS, Access uses tables called
MSYSOBJECTS and MSYSCOLUMNS
2. By default, the Access MSYSOBJECTS/MSYSCOLUMNS are not accessible to the
appilcation level user accessing the database, making database structure
queries impossible. Note that while it IS possible for the creator of the
database to make these tables readable, you would normally not find them
accessible, making the injection significanly harder.
3. When injecting to Access, you will not be able to chain several commands
together using a semicolon like possible with MS SQL
All in all - these things make Access injection significanly harder to
exploit than SQL Server. If you have detailed error messages, you should do
fine identifying the names of tables and columns by generating a hefty
amount of errors (access is quite descriptive) using HAVING and GROUP BY
statements. However, if you are working blindfoldedly, then it may be very
hard to do anything, unless you can guess names of tables and columns.
Sincerely,
---
Ofer Maor
CTO
Hacktics Ltd.
Mobile: +972-54-6545406
Office: +972-9-9565840
Fax: +972-9-9500047
Web: www.hacktics.com
-----Original Message-----
From: Mailing List [mailto:maillist@freedomsoftware.co.uk]
Sent: Tuesday, August 30, 2005 12:08 AM
To: webappsec@securityfocus.com
Subject: sql injection for MS Access
Can anyone recommend any docs on SQL injection specifically against MS
Access?
There are loads of docs on sql injection techniques against SQL Server and
ones on the technique in general but nothing much out there on actually
attacking Access.
Ta
Robin
