Penetration Testing mailing list archives
CFM SQL injection
From: "Charlie Liserne" <Chili () SexMagnet com>
Date: Sat, 15 Dec 2001 23:22:14 +0100
Hello guys, I'm performing a pen-test against a web with Coldfusion installed. I obtain some error information, but I'm not able to do nothing because the server never understand the parameters I send. The correct page is as follows: http://www.server.com/page.cfm?page_id=8 My probes are following: ------------------- Request: http://www.server.com/page.cfm?page_id=8' Result: Invalid parameter type Cannot convert 19' to number. Please, check the ColdFusion manual for the allowed conversions between data types The error occurred while processing an element with a general identifier of (CFPARAM), occupying document position (5:1) to (5:61). Template: c:\blabla\page.cfm Query String: page_id=19' ------------------------ So it isn't interpreting the ' and I don't know how to execute commands. It seems that it is not an SQL issue, instead it looks a coldfusion error. Another probe follows: -------------------- Request: http://www.server.com/page.cfm?page_id=0 Result: ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax near '='. The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (15:1) to (16:65). ------------------ Okay, i get an error from the SQL database. But still don't know how to take advantage of it. I don't know the database name and I have very little info about it. Also, there are two more interesting probes: --------------------------- Request:http://www.server.com/page.cfm?page_id=3, Result: Invalid parameter type Cannot convert 3, to number. Please, check the ColdFusion manual for the allowed conversions between data types The error occurred while processing an element with a general identifier of (CFPARAM), occupying document position (5:1) to (5:61). ---------------------------- Request: http://www.server.com/page.cfm?page_id=3,4 Result: ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax near ','. The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (6:1) to (6:72). ------------------------------- Do you know how to exploit this (if it's possible)? Regards, Charlie. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL INJECTION - ORACLE foo bar (Dec 10)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: CFM SQL injection Kevin Spett (Dec 19)
- Re: CFM SQL injection Charlie Liserne (Dec 24)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- Re: SQL INJECTION - ORACLE Kevin Spett (Dec 10)