Re: sql injection with MS Access
From: Kevin Spett (kspett@spidynamics.com)Date: 11/29/01
- Previous message: helmut schmidt: "sql injection with MS Access"
- In reply to: helmut schmidt: "sql injection with MS Access"
- Next in thread: Sverre H. Huseby: "Re: sql injection with MS Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <001301c17877$9f130630$0901010a@spidata> From: "Kevin Spett" <kspett@spidynamics.com> To: "helmut schmidt" <helmutsch69@hotmail.com>, <pen-test@securityfocus.com> Subject: Re: sql injection with MS Access Date: Wed, 28 Nov 2001 17:46:09 -0800
> I am currently testing SQL injection with a web application and MS Access
> database. I have some difficulties as I do not knowing the comment
character
> for Access Database.
I'm afraid that you're out of luck. There is no magical -- character to
work with in MS Access like SQL Server. You'll have to get around the
syntax error the hard way. Try sending these strings as parameters to fish
out as much of the sql query as possible:
'
badvalue'
'badvalue
badvalue, badvalue
' OR
Also, here're the MS Access system tables, which you hopefully will have
priveleges to read:
MSysACEs
MSysObjects
MSysQueries
MSysRelationships
Good luck.
Kevin Spett
Resident SQL Injection Ninja
SPI Dynamics, Inc.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: helmut schmidt: "sql injection with MS Access"
- In reply to: helmut schmidt: "sql injection with MS Access"
- Next in thread: Sverre H. Huseby: "Re: sql injection with MS Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
