diff --git a/lib/core/agent.py b/lib/core/agent.py
index 8edde77e7..5826caf80 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -227,7 +227,10 @@ class Agent:
             nulledCastedField = field
         else:
             nulledCastedField = queries[kb.dbms].cast.query % field
-            nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField
+            if kb.dbms == DBMS.ACCESS:
+                nulledCastedField = queries[kb.dbms].isnull.query % (nulledCastedField, nulledCastedField)
+            else:
+                nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField
 
         return nulledCastedField
 
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index b382b5c3b..22fb411d2 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -138,7 +138,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
         continuousOrder means that distance between each two neighbour's
         numerical values is exactly 1
         """
-
+        
         result = tryHint(idx)
 
         if result:
@@ -167,7 +167,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             position = (len(charTbl) >> 1)
             posValue = charTbl[position]
 
-            if kb.dbms in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
+            if kb.dbms in (DBMS.SQLITE, DBMS.MAXDB):
                 pushValue(posValue)
                 posValue = chr(posValue) if posValue < 128 else unichr(posValue)
 
@@ -176,7 +176,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             queriesCount[0] += 1
             result = Request.queryPage(forgedPayload)
 
-            if kb.dbms in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
+            if kb.dbms in (DBMS.SQLITE, DBMS.MAXDB):
                 posValue = popValue()
 
             if result:
diff --git a/plugins/dbms/access/fingerprint.py b/plugins/dbms/access/fingerprint.py
index 2c6b04b4d..8602e2a6a 100644
--- a/plugins/dbms/access/fingerprint.py
+++ b/plugins/dbms/access/fingerprint.py
@@ -189,3 +189,6 @@ class Fingerprint(GenericFingerprint):
             logger.warn(warnMsg)
 
             return False
+
+    def forceDbmsEnum(self):
+        conf.db = "Access"
diff --git a/xml/queries.xml b/xml/queries.xml
index 646c8d34f..20bd4944c 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -341,7 +341,7 @@
     <dbms value="Microsoft Access">
         <cast query="CVAR(%s)"/>
         <length query="LEN(%s)"/>
-        <isnull query="ISNULL(%s)"/>
+        <isnull query="IIF(ISNULL(%s), ' ', %s)"/>
         <delimiter query=","/>
         <limit query="TOP %d"/>
         <limitregexp query="\s+TOP\s+([\d]+)"/>
@@ -354,7 +354,6 @@
         <timedelay/>
         <substring query="MID((%s), %d, %d)"/>
         <case query="IIF(%s,1,0)"/>
-        <inference query="AND MID((%s), %d, 1) > '%s'"/>
         <banner/>
         <current_user query="SELECT CURRENTUSER()"/>
         <current_db/>
@@ -363,6 +362,7 @@
         <dbs/>
         <tables>
             <inband query="SELECT Name FROM MSysObjects WHERE (Left([Name],1) &lt;&gt; '~') AND (Left([Name],4) &lt;&gt; 'MSys') AND ([Type] In (1, 4, 6))"/>
+            <blind query="SELECT MIN(Name) FROM MSysObjects WHERE Type = 1 AND name > '%s'" count="SELECT COUNT(*) FROM MSysObjects WHERE Type = 1"/>
         </tables>
    </dbms>