Hosting generously provided by
|
|
Whitepaper: Access through access by Brett Moore, attacking Microsoft Access
|
Posted 5/1/08 by Robert from the 'Flat files 4 lyfe' department
Brett Moore has published a great document on how to applications utilizing
Microsoft Access. He discusses default tablenames, sandboxing, reading local files and more. There aren't
many good papers on attacking MS Access and this is WELL worth the read. From the paper
""MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test. The aim of this paper is to bring a lot of disparate information together into one guide.
MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine.
Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage. Therefore is often encountered during Web Application reviews and the potential for exploitation should be realised.
This paper will outline methods to identify different versions of MS Jet, some SQL Injection methods to use during tests, and some other techniques to access files, servers, and potentially gain command access"
Whitepaper Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
Information contained on this website may not be copied without explicit permission.
Best Viewed with Netscape.
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
