Re: sql injection with MS Access

From: Kevin Spett (kspettat_private)
Date: Wed Nov 28 2001 - 17:46:09 PST

Next message: Sverre H. Huseby: "Re: sql injection with MS Access"

Previous message: helmut schmidt: "sql injection with MS Access"
In reply to: helmut schmidt: "sql injection with MS Access"
Next in thread: Sverre H. Huseby: "Re: sql injection with MS Access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I am currently testing SQL injection with a web application and MS Access
> database. I have some difficulties as I do not knowing the comment
character
> for Access Database.

    I'm afraid that you're out of luck.  There is no magical -- character to
work with in MS Access like SQL Server.  You'll have to get around the
syntax error the hard way.  Try sending these strings as parameters to fish
out as much of the sql query as possible:

'
badvalue'
'badvalue
badvalue, badvalue
' OR

Also, here're the MS Access system tables, which you hopefully will have
priveleges to read:
MSysACEs
MSysObjects
MSysQueries
MSysRelationships


Good luck.

Kevin Spett
Resident SQL Injection Ninja
SPI Dynamics, Inc.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Sverre H. Huseby: "Re: sql injection with MS Access"
Previous message: helmut schmidt: "sql injection with MS Access"
In reply to: helmut schmidt: "sql injection with MS Access"
Next in thread: Sverre H. Huseby: "Re: sql injection with MS Access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 15:25:38 PST