Re: [sqlmap-users] sqlmap's Access UNION tests can't be working

[Bernardo D. A. G. <ber...@gm...>]

Hi Marek,

On 5 July 2011 22:33, Stiefenhofer, Marek <M.S...@r-...> wrote:
> ...
> Miroslav posted some news about an ongoing SQLi ModSecurity challenge. I was
> curious and had a quick look at it. One of the vulnerable applications has
> an MS Access DB and can be UNION based injected.

Two of them are Access, the other two are MySQL 4 and MySQL 5.0.
We will post the details about our bypass of modsecurity soon and the
related tamper scripts will be committed to sqlmap trunk as well.

> Unfortunately UNION based tests against MS Access will always fail with
> sqlmap, because for UNION based injections the defined comment string
> (queries.xml) is not respected. Access needs %00 as comment string and even
> this is not working in many cases.

This is a known problem. Just addressed, read below.

> One quick fix would be adding special Access UNION test definitions to
> payload.xml like it has been done for MySQL.

Handle of these corner cases specifically to detect a certain
technique against a dodgy database management system is in our TODO
list already.
Also, MSysAccessObjects seems to be a viable option. Detection of
UNION query against Access is now fixed.

> Another problem is the defined SELECT_FROM for MS Access dbms, it’s
> MSysObjects. In the ModSecurity challenge this system table has no read
> permissions hence any UNION test must fail. But the system table
> MSysAccessXML has read permissions in this specific case.
>
> Does anyone know, which of the two tables is more likely to have read access
> in the wild? Does it make sense to change SELECT_FROM? Is MSysAccessXML
> present in older MS Access versions?

No users have read privileges over MSysObjects by default. I can't
comment on MSysAccessXML. Anyone else?


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable