简体繁体 English

MSAccess SQL注入

[英]MSAccess SQL Injection

原文 2011-01-13 12:21:18 1 1 sql/ ms-access/ sql-injection

Situation: 情况：

I'm doing some penetration testing for a friend of mine and have total clearance to go postal on a demo environment. 我正在为我的一个朋友进行渗透测试，并且具有在演示环境中进行邮寄的全部权限。 Reason for this is because I saw a XSS-hole in his online ASP-application (error page with error as param allowing html). 原因是因为我在他的在线ASP应用程序中看到一个XSS漏洞（错误页面，错误为param允许html）。

He has a Access DB and because of his lack of input-validation I came upon another hole: he allows sql injection in a where-clause. 他有一个Access DB，由于缺乏输入验证，我遇到了另一个麻烦：他允许在子句中进行sql注入。

I tried some stuff from: http://www.krazl.com/blog/?p=3 我从以下网站尝试了一些东西： http : //www.krazl.com/blog/? p =3

But this gave limited result: MSysRelationships is open, but his Objects table is shielded. 但这给了有限的结果：MSysRelationships是打开的，但是他的Objects表被屏蔽了。 ' UNION SELECT 1,1,1,1,1,1,1,1,1,1 FROM MSysRelationships WHERE '1' = '1 <-- worked so I know the parent table has at least 9 columns. 'UNION SELECT 1,1,1,1,1,1,1,1,1,1,1从MSysRelationships那里'1'='1 <-起作用，所以我知道父表至少有9列。 I don't know how I can exploit the relation table to get tablenames ( I can't find any structures explanation so I don't know on what to select. 我不知道如何利用关系表来获取表名（我找不到任何结构说明，所以我不知道该选择什么。

Tried brute-forceing some tablenames, but to no avail. 尝试强行使用某些表名，但无济于事。

I do not want to trash his DB, but I do want to point out the serious flaw with some backing. 我不想破坏他的数据库，但是我想指出一些支持的严重缺陷。

Anyone has Ideas? 有人有主意吗？

1 个解决方案

Usually there are two ways to proceed from here. 通常有两种方法可以从这里开始。 You could try to guess table names by the type of data which is stored in them which often works ("users" usually stores the user data ...). 您可以尝试通过经常使用的数据类型猜测表名（“用户”通常存储用户数据...）。 The other method would be to generate speaking error messages in the application to see if you can fetch table or column names from there. 另一种方法是在应用程序中生成语音错误消息，以查看是否可以从中获取表名或列名。