CFM SQL injection

From: Charlie Liserne (Chiliat_private)
Date: Sat Dec 15 2001 - 14:22:14 PST

Next message: Ken.Williamsat_private: "RE: Sniffers, scanners and XP raw packet drivers"

Previous message: Demon Internet: "RE: WarFTPd 1.70.b01.04"
In reply to: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
Next in thread: Kevin Spett: "Re: SQL INJECTION - ORACLE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello guys,

I'm performing a pen-test against a web with Coldfusion installed. I obtain
some error information, but I'm not able to do nothing because the server
never understand the parameters I send.

The correct page is as follows:
http://www.server.com/page.cfm?page_id=8

My probes are following:

-------------------
Request: http://www.server.com/page.cfm?page_id=8' 

Result:
Invalid parameter type
Cannot convert 19' to number.
Please, check the ColdFusion manual for the allowed conversions between
data types
The error occurred while processing an element with a general identifier of
(CFPARAM), occupying document position (5:1) to (5:61).
Template: c:\blabla\page.cfm
Query String: page_id=19'
------------------------

So it isn't interpreting the ' and I don't know how to execute commands. It
seems that it is not an SQL issue, instead it looks a coldfusion error.
Another probe follows:

--------------------
Request: http://www.server.com/page.cfm?page_id=0

Result:
ODBC Error Code = 37000 (Syntax error or access violation)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
near '='.
The error occurred while processing an element with a general identifier of
(CFQUERY), occupying document position (15:1) to (16:65).
------------------

Okay, i get an error from the SQL database. But still don't know how to
take advantage of it. I don't know the database name and I have very little
info about it.

Also, there are two more interesting probes:
---------------------------
Request:http://www.server.com/page.cfm?page_id=3,

Result:
Invalid parameter type
Cannot convert 3, to number.
Please, check the ColdFusion manual for the allowed conversions between
data types
The error occurred while processing an element with a general identifier of
(CFPARAM), occupying document position (5:1) to (5:61).
----------------------------
Request: http://www.server.com/page.cfm?page_id=3,4

Result:
ODBC Error Code = 37000 (Syntax error or access violation)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
near ','.
The error occurred while processing an element with a general identifier of
(CFQUERY), occupying document position (6:1) to (6:72).
-------------------------------

Do you know how to exploit this (if it's possible)?

Regards,
Charlie.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Ken.Williamsat_private: "RE: Sniffers, scanners and XP raw packet drivers"
Previous message: Demon Internet: "RE: WarFTPd 1.70.b01.04"
In reply to: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
Next in thread: Kevin Spett: "Re: SQL INJECTION - ORACLE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 09:56:07 PST