Penetration Testing mailing list archives
Re: Cold Fusion and Sql Injection
From: Cesar <cesarc56 () yahoo com>
Date: Sat, 21 Jun 2003 10:24:01 -0700 (PDT)
It seems that the web application is using stored procedures, the problem you have is because the parameter you are playing with is an integer parameter, then when the web application calls the stored procedure with a non integer value you get that error. Cesar. --- George Fekkas <G.Fekkas () encode-sec com> wrote:
******************************************************************
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of ENCODE S.A.
******************************************************************
I am performing a web application penetration testby using SQL Injection method.The site uses Cold fusion. My problem is that anything I pass as a parameter to a field and I get the following error. ODBC Error Code = 22005 (Error in assignment) [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value âmy parameter hereâ to a column of data type int. For example, if I place a simple quote I get the following: Syntax error converting the nvarchar value âââ to a column of data type int. Or if I place a @@Version function I get the following: Syntax error converting the nvarchar value â@@Versionâ to a column of data type int. Etc.. Normally, when you pass a single quote as a parameter, the Server returns the following: ODBC Error Code = 37000 (Syntax error or access violation), and the error message is normally âIncorrect syntax error â¦â OR âUnclosed quotation mark â¦â Does anyone know how to solve this problem?Can anyone tell me what really happens behind it? I mean how the cold fusion application handles input validation in conjunction with ODBC driver?Does cold fusion use special functions for input validation? Thank you for your time, George
---------------------------------------------------------------------------
Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980
---------------------------------------------------------------------------- __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
Current thread:
- Cold Fusion and Sql Injection George Fekkas (Jun 20)
- Re: Cold Fusion and Sql Injection morning_wood (Jun 20)
- Re: Cold Fusion and Sql Injection Javier Fernandez-Sanguino (Jun 23)
- Re: Cold Fusion and Sql Injection Cesar (Jun 23)
- Re: Cold Fusion and Sql Injection morning_wood (Jun 20)