Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Cold Fusion and Sql Injection
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Fri, 20 Jun 2003 12:30:51 -0700

mby some help at
http://nothackers.org/pipermail/0day/2003-June/000091.html

----- Original Message -----
From: "George Fekkas" <G.Fekkas () encode-sec com>
To: <pen-test () securityfocus com>
Sent: Friday, June 20, 2003 10:12 AM
Subject: Cold Fusion and Sql Injection




******************************************************************
Any views expressed in this message are those of the
individual sender, except where the sender specifically
states them to be the views of ENCODE S.A.
******************************************************************



----------------------------------------------------------------------
----------


I am performing a web application penetration test by using SQL
Injection method.The site uses Cold fusion. My problem is that
anything I pass as a parameter to a field and I get the following
error.

ODBC Error Code = 22005 (Error in assignment)

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error
converting the nvarchar value ‘my parameter here’ to a column of data
type int.

For example, if I place a simple quote I get the following:

Syntax error converting the nvarchar value ‘’’ to a column of data
type int.

Or if I place a @@Version function I get the following:

Syntax error converting the nvarchar value ‘@@Version’ to a column
of data type int.

Etc..

Normally, when you pass a single quote as a parameter, the Server
returns the following:

ODBC Error Code = 37000 (Syntax error or access violation), and the
error message is normally ‘Incorrect syntax error …’ OR ‘Unclosed
quotation mark …’

Does anyone know how to solve this problem?Can anyone tell me what
really happens behind it? I mean how the cold fusion application
handles input validation in conjunction with ODBC driver?Does cold
fusion use special functions for input validation?

Thank you for your time,

George






----------------------------------------------------------------------
----------


--------------------------------------------------------------------
-------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you
can get
trustworthy commercial-grade exploits and the latest techniques from
a
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
--------------------------------------------------------------------
--------

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]