From: morning_wood (se_cur_ity@hotmail.com)
Date: Fri Jun 20 2003 - 15:30:51 EDT
mby some help at
http://nothackers.org/pipermail/0day/2003-June/000091.html
----- Original Message -----
From: "George Fekkas" <G.Fekkas@encode-sec.com>
To: <pen-test@securityfocus.com>
Sent: Friday, June 20, 2003 10:12 AM
Subject: Cold Fusion and Sql Injection
>
>
> ******************************************************************
> Any views expressed in this message are those of the
> individual sender, except where the sender specifically
> states them to be the views of ENCODE S.A.
> ******************************************************************
>
----------------------------------------------------------------------
----------
> I am performing a web application penetration test by using SQL
Injection method.The site uses Cold fusion. My problem is that
anything I pass as a parameter to a field and I get the following
error.
>
> ODBC Error Code = 22005 (Error in assignment)
>
> [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error
converting the nvarchar value ‘my parameter here’ to a column of data
type int.
>
> For example, if I place a simple quote I get the following:
>
> Syntax error converting the nvarchar value ‘’’ to a column of data
type int.
>
> Or if I place a @@Version function I get the following:
>
> Syntax error converting the nvarchar value ‘@@Version’ to a column
of data type int.
>
> Etc..
>
> Normally, when you pass a single quote as a parameter, the Server
returns the following:
>
> ODBC Error Code = 37000 (Syntax error or access violation), and the
error message is normally ‘Incorrect syntax error …’ OR ‘Unclosed
quotation mark …’
>
> Does anyone know how to solve this problem?Can anyone tell me what
really happens behind it? I mean how the cold fusion application
handles input validation in conjunction with ODBC driver?Does cold
fusion use special functions for input validation?
>
> Thank you for your time,
>
> George
>
>
>
>
----------------------------------------------------------------------
----------
> --------------------------------------------------------------------
-------
> Latest attack techniques.
>
> You're a pen tester, but is google.com still your R&D team? Now you
can get
> trustworthy commercial-grade exploits and the latest techniques from
a
> world-class research group.
>
> Visit us at: www.coresecurity.com/promos/sf_ept1
> or call 617-399-6980
> --------------------------------------------------------------------
--------
---------------------------------------------------------------------------
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.
Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT