|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Newbie for Access DB Injection |
|
Posted: Fri Oct 31, 2008 7:50 pm |
|
|
ichgehe |
Regular user |
|
|
Joined: Oct 31, 2008 |
Posts: 5 |
|
|
|
|
|
|
|
Hello everyone,
I am new here, right, but hey.... it's always a first timer somewhere...
Short story: I found a website which has a injectable login.asp page...
Login Screen
Inputs: Email & Password
so... I tried a simple colon ' entered in the Email field and got the following:
Quote: | Microsoft OLE DB Provider for ODBC Drivers-Fehler '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntaxfehler in Zeichenfolge in Abfrageausdruck '(((Students.Email)='''));'.
/login.asp, Zeile 35 |
the same ' inserted into the Password field gave me NO error...
Then I continued with ' or '1'='1 entry into email and test into the password field: No error, but no successful login as well... just the page again. What would you try in the next step?
Thanks guys... |
|
|
|
|
Posted: Fri Oct 31, 2008 8:07 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
|
working... |
|
Posted: Fri Oct 31, 2008 8:46 pm |
|
|
ichgehe |
Regular user |
|
|
Joined: Oct 31, 2008 |
Posts: 5 |
|
|
|
|
|
|
|
thanks a lot for this hint... it points me into a new direction. I was really looking forward for this comment thing %00....
however when using union and %00 -
‘ UNION SELECT 1,1,1 FROM Students %00 I do not get any result... I fall back to the login.asp page where it says "Login Error"...
I was also looking for the cheatsheet from Daarth but it seems unavailable...
http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
I experimented a little bit further, but to be honest, I don't know how to use union to get more information... how can I display the "results"? |
|
|
|
|
|
|
|
|
Posted: Fri Oct 31, 2008 8:56 pm |
|
|
ichgehe |
Regular user |
|
|
Joined: Oct 31, 2008 |
Posts: 5 |
|
|
|
|
|
|
|
correction, when entering
‘ UNION SELECT 1,1,1 FROM validTableName%00
I get following:
Quote: | [Microsoft][ODBC Microsoft Access Driver] Syntaxfehler (fehlender Operator) in Abfrageausdruck '(((Students.Email)='' UNION SELECT 1,1,1 FROM validTableName%00'));'. |
Actually I don't understand it completely, because it seems that is not the whole string of the statement, but only the WHERE-part of it... |
|
|
|
|
|
further success |
|
Posted: Fri Oct 31, 2008 9:40 pm |
|
|
ichgehe |
Regular user |
|
|
Joined: Oct 31, 2008 |
Posts: 5 |
|
|
|
|
|
|
|
actually i got a little bit further, but still quite in the 'dark':
I think I found a solution which let's me use Union:
First I found that I am able to look how many fields the table students has:
\')) UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 FROM Students
which gives me 15 rows...
then I tried something different to get the root directory:
\')) UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 FROM fake.Faketable
[Microsoft][ODBC Microsoft Access Driver] Datei 'C:\WINNT\system32\Some.mdb' nicht
but now I don't know how to continue... how do I get past the login screen or can view some data? there is no possibility to hook to another file, because I don't know the file structure....
By the way, if I try something different than UNION i mostly get the "OPERATOR" missing error...
...maybe someone has some other ideas... |
|
|
|
|
|
|
|
|
Posted: Fri Oct 31, 2008 11:08 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
So what's your mission here? You can fetch all the data from Students table, right?
If you want to interact with other tables, then usually in MSAccess there is no direct way to enumerate existing tables. You can try to guess, bruteforce or just use other vulnerable scripts to reveal more database schema details ...
MSAccess is usually not offering any other goodies, like OS shell interaction or file write/read or something like that. |
|
|
|
|
Posted: Sat Nov 01, 2008 7:32 am |
|
|
ichgehe |
Regular user |
|
|
Joined: Oct 31, 2008 |
Posts: 5 |
|
|
|
|
|
|
|
I suggest, that everything would be in the table Students I need to know (passwords), but actually how can I get an output what the data is in the table? Is there a trick to display the message somehow or to extract data? |
|
|
|
|
Posted: Sat Nov 01, 2008 2:12 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
You have two choices here:
1. try to find another sql injection vulnerability in same website, but this time with visual feedback
2. use blind sql injection methods |
|
|
|
|
Posted: Sun Nov 02, 2008 6:49 pm |
|
|
_mranderson_ |
Valuable expert |
|
|
Joined: Oct 30, 2008 |
Posts: 51 |
|
|
|
|
|
|
|
waraxe wrote: | So what's your mission here? You can fetch all the data from Students table, right?
If you want to interact with other tables, then usually in MSAccess there is no direct way to enumerate existing tables. You can try to guess, bruteforce or just use other vulnerable scripts to reveal more database schema details ...
MSAccess is usually not offering any other goodies, like OS shell interaction or file write/read or something like that. |
it could always be MS Jet Database, search google for Jet Database SQL injection |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|