MSysObjects SQL injection attack
A colleague of mine recently had his website hacked with a sql injection attack, with a url something like http://www.someurl.com/somepage.asp?
id=153%20union%20%20select%201,2,3,4,fldusername,
6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,fldpassword,
fldpassword,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,
39,40,41,42,43,44,45,46,47,48%20from%20tbluser%27
hense exposing all the usernames and passwords on the page. it lead me to think, how did the hacker guess the column names? – I knew about the sysobjects table in sql server, but being a classic ASP page, it would undoubtedly have an Access back end. Then I spotted the following hidden tables in access:
MSysObjects
MSysACEs
MSysQueries
MSysRelationships
MSysAccessObjects
MSysAccessXML
MSysDb
Which you can query to obtain the database schema. All I can say is . NEVER EVER BUILD SQL STATEMENTS DIRECTLY WITH USER PROVIDED TEXT (without calling Replace("’","”") at least!