Microsoft JET Database Engine VBA ...

- AV AC AU C I A
发布: 1999-05-25
修订: 2018-10-17

Microsoft's JET database engine feature allows the embedding of Visual Basic for Application in SQL string expressions and the lack of metacharacter filtering by many web applications may allow remote users to execute commands on the system. Microsoft's JET database engine (the core of Microsoft Access) allows the embedding of Visual Basic for Application expressions in SQL strings. VBA expressions withing two "|" characters within an SQL string will be executed and its result substituted in the string. The VBA code is evaluated in an expression context. That means you cannot make use of statements. The Microsoft JET database engine can be used via the ODBC API. It is commonly used as a backend for web enabled applications. The fact that it uses the "|" character to execute VBA code within SQL statements in JET is a largely unknown feature, meaning that few applications escape user input for this metacharacter. Therefore any script or application that uses Microsoft's JET ODBC DSN ...

0%
当前有1条漏洞利用/PoC
产品及版本信息(CPE)暂不可用