WebApp Sec mailing list archives
Re: sql injection for MS Access
From: ray bradbury fan <ray.bradbury9 () gmail com>
Date: Tue, 30 Aug 2005 14:06:18 +0200
That is true, but it can be accessible, depending on the way the aplication is coded. Take a look at the following C# code... OleDbConnection conn = new OleDbConnection(strConn); conn.Open(); OleDbDataAdapter odbda = new OleDbDataAdapter("select * from msysobjects", conn); odbda.Fill(ds,"prueba"); /*You cannot access this way (bad news, it is the normal way) BUT you can get the information using this code.*/ OleDbConnection conn = new OleDbConnection(strConn); conn.Open(); DataTable dtTablas = conn.GetOleDbSchemaTable(OleDbSchemaGuid.Tables,null); NOTE: Nobody uses the second way, as far as it is only used to get info about the tables. 2005/8/30, Ofer Maor <ofer.hacktics () gmail com>:
Hi Robin, SQL Injection with Access is similar in many ways to SQL Injection with MS SQL (Microsoft after all... ;)), but it has some very important issues that need to be noted: 1. Instead of SYSOBJECTS and SYSCOLUMS, Access uses tables called MSYSOBJECTS and MSYSCOLUMNS 2. By default, the Access MSYSOBJECTS/MSYSCOLUMNS are not accessible to the appilcation level user accessing the database, making database structure queries impossible. Note that while it IS possible for the creator of the database to make these tables readable, you would normally not find them accessible, making the injection significanly harder. 3. When injecting to Access, you will not be able to chain several commands together using a semicolon like possible with MS SQL All in all - these things make Access injection significanly harder to exploit than SQL Server. If you have detailed error messages, you should do fine identifying the names of tables and columns by generating a hefty amount of errors (access is quite descriptive) using HAVING and GROUP BY statements. However, if you are working blindfoldedly, then it may be very hard to do anything, unless you can guess names of tables and columns. Sincerely, --- Ofer Maor CTO Hacktics Ltd. Mobile: +972-54-6545406 Office: +972-9-9565840 Fax: +972-9-9500047 Web: www.hacktics.com -----Original Message----- From: Mailing List [mailto:maillist () freedomsoftware co uk] Sent: Tuesday, August 30, 2005 12:08 AM To: webappsec () securityfocus com Subject: sql injection for MS Access Can anyone recommend any docs on SQL injection specifically against MS Access? There are loads of docs on sql injection techniques against SQL Server and ones on the technique in general but nothing much out there on actually attacking Access. Ta Robin
Current thread:
- sql injection for MS Access Mailing List (Aug 29)
- RE: sql injection for MS Access Mutallip ABLIMIT (Aug 29)
- RE: sql injection for MS Access Ofer Maor (Aug 30)
- RE: sql injection for MS Access Mailing List (Aug 30)
- RE: sql injection for MS Access Mark Burnett (Aug 30)
- Re: sql injection for MS Access ray bradbury fan (Aug 30)
- RE: sql injection for MS Access Mailing List (Aug 30)