Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 67
Members: 0
Total: 67
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Newbie for Access DB Injection
Post new topicReply to topic View previous topic :: View next topic
Newbie for Access DB Injection
PostPosted: Fri Oct 31, 2008 7:50 pm Reply with quote
ichgehe
Regular user
Regular user
Joined: Oct 31, 2008
Posts: 5




Hello everyone,
I am new here, right, but hey.... it's always a first timer somewhere...

Short story: I found a website which has a injectable login.asp page...

Login Screen
Inputs: Email & Password

so... I tried a simple colon ' entered in the Email field and got the following:

Quote:
Microsoft OLE DB Provider for ODBC Drivers-Fehler '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntaxfehler in Zeichenfolge in Abfrageausdruck '(((Students.Email)='''));'.

/login.asp, Zeile 35


the same ' inserted into the Password field gave me NO error...

Then I continued with ' or '1'='1 entry into email and test into the password field: No error, but no successful login as well... just the page again. What would you try in the next step?

Thanks guys...
View user's profile Send private message
PostPosted: Fri Oct 31, 2008 8:07 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




MS Access Sql Injection Cheat Sheet:

http://www.krazl.com/blog/?p=3

You can use UNION and "%00" in order to get any accessible data from database.
View user's profile Send private message Send e-mail Visit poster's website
working...
PostPosted: Fri Oct 31, 2008 8:46 pm Reply with quote
ichgehe
Regular user
Regular user
Joined: Oct 31, 2008
Posts: 5




thanks a lot for this hint... it points me into a new direction. I was really looking forward for this comment thing %00....
however when using union and %00 -
‘ UNION SELECT 1,1,1 FROM Students %00 I do not get any result... I fall back to the login.asp page where it says "Login Error"...

I was also looking for the cheatsheet from Daarth but it seems unavailable...
http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html

I experimented a little bit further, but to be honest, I don't know how to use union to get more information... how can I display the "results"?
View user's profile Send private message
PostPosted: Fri Oct 31, 2008 8:56 pm Reply with quote
ichgehe
Regular user
Regular user
Joined: Oct 31, 2008
Posts: 5




correction, when entering
‘ UNION SELECT 1,1,1 FROM validTableName%00

I get following:
Quote:
[Microsoft][ODBC Microsoft Access Driver] Syntaxfehler (fehlender Operator) in Abfrageausdruck '(((Students.Email)='' UNION SELECT 1,1,1 FROM validTableName%00'));'.


Actually I don't understand it completely, because it seems that is not the whole string of the statement, but only the WHERE-part of it...
View user's profile Send private message
further success
PostPosted: Fri Oct 31, 2008 9:40 pm Reply with quote
ichgehe
Regular user
Regular user
Joined: Oct 31, 2008
Posts: 5




actually i got a little bit further, but still quite in the 'dark':

I think I found a solution which let's me use Union:
First I found that I am able to look how many fields the table students has:
\')) UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 FROM Students

which gives me 15 rows...

then I tried something different to get the root directory:
\')) UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 FROM fake.Faketable

[Microsoft][ODBC Microsoft Access Driver] Datei 'C:\WINNT\system32\Some.mdb' nicht

but now I don't know how to continue... how do I get past the login screen or can view some data? there is no possibility to hook to another file, because I don't know the file structure....

By the way, if I try something different than UNION i mostly get the "OPERATOR" missing error...

...maybe someone has some other ideas...
View user's profile Send private message
PostPosted: Fri Oct 31, 2008 11:08 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




So what's your mission here? You can fetch all the data from Students table, right?
If you want to interact with other tables, then usually in MSAccess there is no direct way to enumerate existing tables. You can try to guess, bruteforce or just use other vulnerable scripts to reveal more database schema details ...
MSAccess is usually not offering any other goodies, like OS shell interaction or file write/read or something like that.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Nov 01, 2008 7:32 am Reply with quote
ichgehe
Regular user
Regular user
Joined: Oct 31, 2008
Posts: 5




I suggest, that everything would be in the table Students I need to know (passwords), but actually how can I get an output what the data is in the table? Is there a trick to display the message somehow or to extract data?
View user's profile Send private message
PostPosted: Sat Nov 01, 2008 2:12 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




You have two choices here:

1. try to find another sql injection vulnerability in same website, but this time with visual feedback

2. use blind sql injection methods
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Nov 02, 2008 6:49 pm Reply with quote
_mranderson_
Valuable expert
Valuable expert
Joined: Oct 30, 2008
Posts: 51




waraxe wrote:
So what's your mission here? You can fetch all the data from Students table, right?
If you want to interact with other tables, then usually in MSAccess there is no direct way to enumerate existing tables. You can try to guess, bruteforce or just use other vulnerable scripts to reveal more database schema details ...
MSAccess is usually not offering any other goodies, like OS shell interaction or file write/read or something like that.


it could always be MS Jet Database, search google for Jet Database SQL injection
View user's profile Send private message
Newbie for Access DB Injection
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.060 Seconds