From: LAROUCHE Francois (Francois.Larouche@accorservices.com)
Date: Thu Sep 29 2005 - 11:22:56 EDT
Hi Cedric,
By default MS ACCESS will block access to 'MSysObjects'. The DBO will have to give those rights. Funny thing is that MS ACCESS in a weird way is more a pain to SQL inject than SQL Server and Oracle.
So the only thing as far as I know that you can do is to guess the user table name. All is not lost, because if the developer is the same than the one that designed the database there are fair chances that he will be coherent in the way he names his web page with the entities in the DB. For example, I found many times that ModifyUsers.asp will be Users table, ModifyProfile will be Profile table and so on. Look in the web page source code also.
Since you're French, try to see if the names aren't in french, like Utilisateur, Usager, administrateur with or without an s. Or tbUsers, tblUsers. Lastly, if the site web's name is, I don't know... Acme, well you can try Acme_user, acme_login, etc...
Good luck!
François Larouche
-----Original Message-----
From: Velasco Herrero, Jose Antonio [mailto:joseantonio.velasco@t-systems.es]
Sent: Tuesday, September 27, 2005 5:36 PM
To: Cedric Foll; pen-test@securityfocus.com
Subject: RE: MS SQL, find list of tables
Did you try something like this?
<somethin.asp?page= 'UNION ALL SELECT name FROM sysobjects WHERE xtype='U
AFAIK MSysObjects is not an MS SQL Server table but an Access one.
I hope this helps
Jose
> -----Mensaje original-----
> De: Cedric Foll [mailto:cedric.foll@ac-rouen.fr]
> Enviado el: lunes, 26 de septiembre de 2005 16:01
> Para: pen-test@securityfocus.com
> Asunto: MS SQL, find list of tables
>
> Hi,
>
> I'm doing a pen test on a IIS/MS SQL box and find a SQL Injection on it
> which permit to execute some SQL command on it.
>
> In fact I have a "select" where I can inject an "UNION something".
> I'd like to use that in order to get login/passwd in the database.
>
> I can do:
> <somethin.asp?page=contact' UNION SELECT * FROM users WHERE '1'='1>
> But the table users doesn't exist and I failed to guess an existing
> table name :(.
>
> I've tried:
> <something.asp?page=contact' UNION SELECT * FROM MSysObjects'>
> but I get
> ----
> Microsoft OLE DB Provider for ODBC Drivers error '80040e09'
>
> [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot be read; no
> read permission on 'MSysObjects'.
> ----
>
> Someone has an idea ????
>
> Regards
>
> --
> Cedric Foll
> Ingénieur Sécurité & Réseaux
> Division Informatique, Rectorat de Rouen
>
> "More people are killed every year by pigs than by sharks,
> which shows you how good we are at evaluating risk."
> Bruce Schneier
>
> --------------------------------------------------------------------------
> ----
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------------------
> -----
--------------------------------------------------------------------------------
INFORMACION IMPORTANTE - IMPORTANT NEWS
--------------------------------------------------------------------------------
A partir del 12 de septiembre de 2005, nuestras oficinas de Avda. Llano Castellano y Capitán Haya en Madrid, se trasladan a:
As from September 12, 2005, our offices in: Avda. Llano Castellano and Capitán Haya (Madrid) are moving to a new address:
------ Calle Orduña, 2 - 28034 Madrid ------
Nuestros números de teléfono y de fax así como nuestras direcciones de correo electrónico permanecen sin cambios.
Our telephone and fax numbers as well as our e-mail addresses remain the same.
----------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
This e-mail may contain confidential or privileged information. Any unauthorised
copying, use or distribution of this information is strictly prohibited. If you are not the
intended recipient, please notify the sender and destroy this e-mail together with all of
its content.
--------------------------------------------------------------------------------
Este mensaje electrónico puede contener información confidencial o privilegiada, por lo
que está completamente prohibida la copia, el uso o la distribución no autorizada de
dicha información. Si usted no es el destinatario del mensaje, le rogamos que lo
notifique al remitente y que lo destruya junto con todo su contenido.
--------------------------------------------------------------------------------
Aquest missatge electrònic pot contenir informació confidencial o privilegiada i està
completament prohibida qualsevol còpia, ús o distribució no autoritzada d'aquesta
informació. Si vostè no és el seu destinatari, si us plau notifiqui-ho al remitent i
destrueixi el missatge amb tot el seu contingut.
--------------------------------------------------------------------------------
Mezu elektroniko honek informazio konfidentziala edo pribilegiatua eduki dezake.
Erabat debekaturik dago informazio hori baimenik gabe kopiatu, erabili edo banatzea.
Mezu hau ez bada zuri zuzendua, arren, igortzaileari jakinarazi eta bere edukiarekin
batera ezaba ezazu.
--------------------------------------------------------------------------------
Esta mensaxe electrónica pode conter información confidencial ou privilexiada e está
completamente prohibida calquera copia, uso ou distribución non autorizado desta
información. Se vostede non é o seu destinatario, faga o favor de llo notificar ao
remitente e destrúa a mensaxe e todo o seu contido.
--------------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with it (herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this message by any other person is not permitted.
If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized disclosure,
publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this
message if modified or falsified.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:00 EDT