Re: sql injection for MS Access

[ray bradbury fan <ray.bradbury9 () gmail com>]

That is true, but it can be accessible, depending on the way the
aplication is coded. Take a look at the following C# code...

OleDbConnection conn = new OleDbConnection(strConn);
conn.Open();
OleDbDataAdapter odbda = new OleDbDataAdapter("select * from
msysobjects", conn);
odbda.Fill(ds,"prueba");

/*You cannot access this way (bad news, it is the normal way) BUT you
can get the information using this code.*/

OleDbConnection conn = new OleDbConnection(strConn);
conn.Open();
DataTable dtTablas = conn.GetOleDbSchemaTable(OleDbSchemaGuid.Tables,null);

NOTE: Nobody uses the second way, as far as it is only used to get
info about the tables.


2005/8/30, Ofer Maor <ofer.hacktics () gmail com>:
> Hi Robin,
>
> SQL Injection with Access is similar in many ways to SQL Injection with MS
> SQL (Microsoft after all... ;)), but it has some very important issues that
> need to be noted:
>
> 1. Instead of SYSOBJECTS and SYSCOLUMS, Access uses tables called
> MSYSOBJECTS and MSYSCOLUMNS
> 2. By default, the Access MSYSOBJECTS/MSYSCOLUMNS are not accessible to the
> appilcation level user accessing the database, making database structure
> queries impossible. Note that while it IS possible for the creator of the
> database to make these tables readable, you would normally not find them
> accessible, making the injection significanly harder.
> 3. When injecting to Access, you will not be able to chain several commands
> together using a semicolon like possible with MS SQL
>
> All in all - these things make Access injection significanly harder to
> exploit than SQL Server. If you have detailed error messages, you should do
> fine identifying the names of tables and columns by generating a hefty
> amount of errors (access is quite descriptive) using HAVING and GROUP BY
> statements. However, if you are working blindfoldedly, then it may be very
> hard to do anything, unless you can guess names of tables and columns.
>
> Sincerely,
>
>
> ---
> Ofer Maor
> CTO
> Hacktics Ltd.
> Mobile: +972-54-6545406
> Office: +972-9-9565840
> Fax: +972-9-9500047
> Web: www.hacktics.com
>
>
>
> -----Original Message-----
> From: Mailing List [mailto:maillist () freedomsoftware co uk]
> Sent: Tuesday, August 30, 2005 12:08 AM
> To: webappsec () securityfocus com
> Subject: sql injection for MS Access
>
>
> Can anyone recommend any docs on SQL injection specifically against MS
> Access?
>
> There are loads of docs on sql injection techniques against SQL Server and
> ones on the technique in general but nothing much out there on actually
> attacking Access.
>
> Ta
>
> Robin