mby some help at http://nothackers.org/pipermail/0day/2003-June/000091.html ----- Original Message ----- From: "George Fekkas" <G.Fekkas@encode-sec.com> To: <pen-testat_private> Sent: Friday, June 20, 2003 10:12 AM Subject: Cold Fusion and Sql Injection > > > ****************************************************************** > Any views expressed in this message are those of the > individual sender, except where the sender specifically > states them to be the views of ENCODE S.A. > ****************************************************************** > ---------------------------------------------------------------------- ---------- > I am performing a web application penetration test by using SQL Injection method.The site uses Cold fusion. My problem is that anything I pass as a parameter to a field and I get the following error. > > ODBC Error Code = 22005 (Error in assignment) > > [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘my parameter here’ to a column of data type int. > > For example, if I place a simple quote I get the following: > > Syntax error converting the nvarchar value ‘’’ to a column of data type int. > > Or if I place a @@Version function I get the following: > > Syntax error converting the nvarchar value ‘@@Version’ to a column of data type int. > > Etc.. > > Normally, when you pass a single quote as a parameter, the Server returns the following: > > ODBC Error Code = 37000 (Syntax error or access violation), and the error message is normally ‘Incorrect syntax error …’ OR ‘Unclosed quotation mark …’ > > Does anyone know how to solve this problem?Can anyone tell me what really happens behind it? I mean how the cold fusion application handles input validation in conjunction with ODBC driver?Does cold fusion use special functions for input validation? > > Thank you for your time, > > George > > > > ---------------------------------------------------------------------- ---------- > -------------------------------------------------------------------- ------- > Latest attack techniques. > > You're a pen tester, but is google.com still your R&D team? Now you can get > trustworthy commercial-grade exploits and the latest techniques from a > world-class research group. > > Visit us at: www.coresecurity.com/promos/sf_ept1 > or call 617-399-6980 > -------------------------------------------------------------------- -------- --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jun 20 2003 - 13:12:13 PDT