Brett Moore has published a great document on how to SQL Inject applications utilizing
Microsoft Access. He discusses default tablenames, sandboxing, reading local files and more. There aren't
many good papers on attacking MS Access and this is WELL worth the read. From the paper
""MS Access is commonly thought of as the little brother of Database
engines, and not a lot of material has been published about methods
used for exploiting it during a penetration test. The aim of this paper
is to bring a lot of disparate information together into one guide.
MS Jet is often mistakenly thought of as being another name for MS
Access, when in fact it is a database engine that is shipped as part of
the Windows OS. MS Jet was however the core database engine used by MS
Access up to version 2007. Since version 2007, MS Access has included a
separate updated engine known as Access Connectivity Engine.
Although MS Jet is not as complex as more advanced databases such as
SQL server or Oracle, it is still commonly used by smaller web sites
that want quick and easy database storage. Therefore is often
encountered during Web Application reviews and the potential for
exploitation should be realised.
This paper will outline methods to identify different versions of MS
Jet, some SQL Injection methods to use during tests, and some other
techniques to access files, servers, and potentially gain command
access"
Whitepaper Link: http://www.insomniasec.com/publications/Access-Through-Access.pdf
