Re: Cold Fusion and Sql Injection

mby some help at
http://nothackers.org/pipermail/0day/2003-June/000091.html

• Original Message ----- From: "George Fekkas" <G.Fekkas@encode-sec.com> To: <pen-test@securityfocus.com> Sent: Friday, June 20, 2003 10:12 AM Subject: Cold Fusion and Sql Injection

>
>
> ******************************************************************

> I am performing a web application penetration test by using SQL
Injection method.The site uses Cold fusion. My problem is that anything I pass as a parameter to a field and I get the following error.
>
> ODBC Error Code = 22005 (Error in assignment)
converting the nvarchar value ‘my parameter here’ to a column of data type int.
>
> For example, if I place a simple quote I get the following:
type int.
>
> Or if I place a @@Version function I get the following:
of data type int.
>
> Etc..
returns the following:
>
> ODBC Error Code = 37000 (Syntax error or access violation), and the
error message is normally ‘Incorrect syntax error …’ OR ‘Unclosed quotation mark …’
>
> Does anyone know how to solve this problem?Can anyone tell me what
really happens behind it? I mean how the cold fusion application handles input validation in conjunction with ODBC driver?Does cold fusion use special functions for input validation?
>
> Thank you for your time,

> --------------------------------------------------------------------

You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980