开发者

MSAccess SQL Injection

Situation:

I'm doing some penetration testing for a friend of mine and have total clearance to go postal on a demo environment. Reason for this is because I saw a XSS-hole in his online ASP-application (error page with error as param allowing html).

He has a Access DB and because of his lack of input-validation I came upon another hole: he allows sql injection in a where-clause.

I tried some stuff from: http://www.krazl.com/blog/?p=3

But this gave limited result: MSysRelationships is open, but his Objects table is shielded. ' UNION SELECT 1,1,1,1,1,1,1,1,1,1 FROM MSysRelationships WHERE '1' = '1 <-- worked so I know the parent table has at leas开发者_开发百科t 9 columns. I don't know how I can exploit the relation table to get tablenames ( I can't find any structures explanation so I don't know on what to select.

Tried brute-forceing some tablenames, but to no avail.

I do not want to trash his DB, but I do want to point out the serious flaw with some backing.

Anyone has Ideas?


Usually there are two ways to proceed from here. You could try to guess table names by the type of data which is stored in them which often works ("users" usually stores the user data ...). The other method would be to generate speaking error messages in the application to see if you can fetch table or column names from there.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜