Re: Cold Fusion and Sql Injection

From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 06/20/03

  • Next message: Javier Fernandez-Sanguino: "Re: Cold Fusion and Sql Injection"
    To: "George Fekkas" <G.Fekkas@encode-sec.com>, <pen-test@securityfocus.com>
    Date: Fri, 20 Jun 2003 12:30:51 -0700
    
    

    mby some help at
    http://nothackers.org/pipermail/0day/2003-June/000091.html

    ----- Original Message -----
    From: "George Fekkas" <G.Fekkas@encode-sec.com>
    To: <pen-test@securityfocus.com>
    Sent: Friday, June 20, 2003 10:12 AM
    Subject: Cold Fusion and Sql Injection

    >
    >
    > ******************************************************************
    > Any views expressed in this message are those of the
    > individual sender, except where the sender specifically
    > states them to be the views of ENCODE S.A.
    > ******************************************************************
    >

    ----------------------------------------------------------------------
    ----------

    > I am performing a web application penetration test by using SQL
    Injection method.The site uses Cold fusion. My problem is that
    anything I pass as a parameter to a field and I get the following
    error.
    >
    > ODBC Error Code = 22005 (Error in assignment)
    >
    > [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error
    converting the nvarchar value ‘my parameter here’ to a column of data
    type int.
    >
    > For example, if I place a simple quote I get the following:
    >
    > Syntax error converting the nvarchar value ‘’’ to a column of data
    type int.
    >
    > Or if I place a @@Version function I get the following:
    >
    > Syntax error converting the nvarchar value ‘@@Version’ to a column
    of data type int.
    >
    > Etc..
    >
    > Normally, when you pass a single quote as a parameter, the Server
    returns the following:
    >
    > ODBC Error Code = 37000 (Syntax error or access violation), and the
    error message is normally ‘Incorrect syntax error …’ OR ‘Unclosed
    quotation mark …’
    >
    > Does anyone know how to solve this problem?Can anyone tell me what
    really happens behind it? I mean how the cold fusion application
    handles input validation in conjunction with ODBC driver?Does cold
    fusion use special functions for input validation?
    >
    > Thank you for your time,
    >
    > George
    >
    >
    >
    >

    ----------------------------------------------------------------------
    ----------

    > --------------------------------------------------------------------
    -------
    > Latest attack techniques.
    >
    > You're a pen tester, but is google.com still your R&D team? Now you
    can get
    > trustworthy commercial-grade exploits and the latest techniques from
    a
    > world-class research group.
    >
    > Visit us at: www.coresecurity.com/promos/sf_ept1
    > or call 617-399-6980
    > --------------------------------------------------------------------
    --------

    ---------------------------------------------------------------------------
    Latest attack techniques.

    You're a pen tester, but is google.com still your R&D team? Now you can get
    trustworthy commercial-grade exploits and the latest techniques from a
    world-class research group.

    Visit us at: www.coresecurity.com/promos/sf_ept1
    or call 617-399-6980
    ----------------------------------------------------------------------------


  • Next message: Javier Fernandez-Sanguino: "Re: Cold Fusion and Sql Injection"

    Relevant Pages

    • Cold Fusion and Sql Injection
      ... individual sender, ... Syntax error converting the nvarchar value ‘’’ to a column of data type int. ... ODBC Error Code = 37000, and the error message is normally ‘Incorrect syntax error …’ OR ‘Unclosed quotation mark …’ ... I mean how the cold fusion application handles input validation in conjunction with ODBC driver?Does cold fusion use special functions for input validation? ...
      (Pen-Test)
    • Re: Cold Fusion and Sql Injection
      ... Fusion input validation but of a stored procedure being used in the SQL ... the cold fusion engine just calls an procedure in the ... SQL server with the input as parameters and the code in there is the one ... Latest attack techniques. ...
      (Pen-Test)