Re: Cold Fusion and Sql Injection

From: Cesar (cesarc56_at_yahoo.com)
Date: 06/21/03

  • Next message: wing.hon.loke_at_sg.pwc.com: "Re: WebService pentest tool on"
    Date: Sat, 21 Jun 2003 10:24:01 -0700 (PDT)
    To: pen-test@securityfocus.com
    
    

    It seems that the web application is using stored
    procedures, the problem you have is because the
    parameter you are playing with is an integer
    parameter, then when the web application calls the
    stored procedure with a non integer value you get that
    error.

    Cesar.

    --- George Fekkas <G.Fekkas@encode-sec.com> wrote:
    >
    >
    >
    ******************************************************************
    > Any views expressed in this message are those of the
    > individual sender, except where the sender
    > specifically
    > states them to be the views of ENCODE S.A.
    >
    ******************************************************************
    > > I am performing a web application penetration test
    > by using SQL Injection method.The site uses Cold
    > fusion. My problem is that anything I pass as a
    > parameter to a field and I get the following error.
    >
    > ODBC Error Code = 22005 (Error in assignment)
    >
    > [Microsoft][ODBC SQL Server Driver][SQL
    > Server]Syntax error converting the nvarchar value
    > ‘my parameter here’ to a column of data type
    > int.
    >
    > For example, if I place a simple quote I get the
    > following:
    >
    > Syntax error converting the nvarchar value ‘’’
    > to a column of data type int.
    >
    > Or if I place a @@Version function I get the
    > following:
    >
    > Syntax error converting the nvarchar value
    > ‘@@Version’ to a column of data type int.
    >
    > Etc..
    >
    > Normally, when you pass a single quote as a
    > parameter, the Server returns the following:
    >
    > ODBC Error Code = 37000 (Syntax error or access
    > violation), and the error message is normally
    > ‘Incorrect syntax error …’ OR ‘Unclosed
    > quotation mark …’
    >
    > Does anyone know how to solve this problem?Can
    > anyone tell me what really happens behind it? I mean
    > how the cold fusion application handles input
    > validation in conjunction with ODBC driver?Does cold
    > fusion use special functions for input validation?
    >
    > Thank you for your time,
    >
    > George
    >
    >
    >
    > >
    ---------------------------------------------------------------------------
    > Latest attack techniques.
    >
    > You're a pen tester, but is google.com still your
    > R&D team? Now you can get
    > trustworthy commercial-grade exploits and the latest
    > techniques from a
    > world-class research group.
    >
    > Visit us at: www.coresecurity.com/promos/sf_ept1
    > or call 617-399-6980
    >
    ----------------------------------------------------------------------------

    __________________________________
    Do you Yahoo!?
    SBC Yahoo! DSL - Now only $29.95 per month!
    http://sbc.yahoo.com

    ---------------------------------------------------------------------------
    Latest attack techniques.

    You're a pen tester, but is google.com still your R&D team? Now you can get
    trustworthy commercial-grade exploits and the latest techniques from a
    world-class research group.

    Visit us at: www.coresecurity.com/promos/sf_ept1
    or call 617-399-6980
    ----------------------------------------------------------------------------


  • Next message: wing.hon.loke_at_sg.pwc.com: "Re: WebService pentest tool on"