Re: sql injection with MS Access
From: Sverre H. Huseby (shh@thathost.com)Date: 11/28/01
- Previous message: Kevin Spett: "Re: sql injection with MS Access"
- In reply to: helmut schmidt: "sql injection with MS Access"
- Next in thread: rudi carell: "Re: sql injection with MS Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Nov 2001 23:59:07 +0100 From: "Sverre H. Huseby" <shh@thathost.com> To: helmut schmidt <helmutsch69@hotmail.com> Subject: Re: sql injection with MS Access Message-ID: <20011128235907.H22284@thathost.com>
[helmut schmidt]
| In MSSQL I will terminate with -- but this does not work in MS
| Access. Can someone confirm that SQL injection is feasible with MS
| Access database and what is the correct comment character to use.
I have no idea about the comment character(s) (if any) in Access, but
I just want to point out that you can accomplish several things
without commenting out parts of the SQL. Example (using boolean
operator priority rules) follows:
Let's say the program contains the following SQL to do login of users
(untested):
"SELECT * FROM user WHERE name='" & name & "' AND pwd='" & pwd & "'"
If you know there is a user "john" on the system, you could normally
log in without a password using the following (no password):
name: john' --
pwd:
If you don't know the comment character(s), you can abuse the fact
that boolean operators have priority rules that say that AND should be
performed before OR. Try the following (no password again):
name: john' OR 'a'='a
pwd:
The following would be sent to the database:
SELECT * FROM user WHERE name='john' OR 'a'='a' AND pwd=''
---------------
Now the database would perform the AND part first. This part fails no
matter what expression you insert, as the password does not match.
That doesn't matter, as the only requirements for an OR to succeed is
that at least one of the operands evaluates to TRUE. The name part
will be true for an existing user, and you have thus gained access
without a password and without comment character(s).
Sverre.
-- shh@thathost.com Play my free Nerd Quiz at http://shh.thathost.com/ http://nerdquiz.thathost.com/---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Previous message: Kevin Spett: "Re: sql injection with MS Access"
- In reply to: helmut schmidt: "sql injection with MS Access"
- Next in thread: rudi carell: "Re: sql injection with MS Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
