We also have been seeing this attack as well. Most of the SQL statement is in a hexadecimal format so it seems that using "keyword" filters could potentially be rendered innocuous (assuming the entire statement is all in hexadecimal).
Why would ColdFusion or MSSQL accept SQL statements formatted as hexadecimal? Is there a setting/feature to prevent this? For those that are using IIS v6 & 7, URLScan v3.0 (beta) has been designed to help with SQL injection attacks as "part" of a comprehensive plan to combat this "nuisance". The IIS solution would stop the attacks at the IIS level as a 1st or second line of defense. Something then could be put in place (application.cfc) at the ColdFusion application level. http://blogs.technet.com/swi/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx http://blogs.iis.net/wadeh/archive/2008/06/24/urlscan-v3-0-beta-release.aspx http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E24-9940-321603531989&displaylang=en BTW: If anyone has a way to determine/catch hexadecimal formatted content through the URL scope, it would be greatly appreciated! I would also like to thank everyone for their contributions. The combined knowledge of everyone has given me greater insight on comabting these attacks :-] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310467 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
