Al, These sort of attacks increase and decrease in waves unfortunately. I spent a few hours fixing a customer server this week myself. Very similar codewise:
http://www.coldfusionmuse.com/index.cfm/2010/4/16/SQLi-char-urchin -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Al Musella, DPM [mailto:[email protected]] Sent: Monday, April 19, 2010 5:08 PM To: cf-talk Subject: New SQL injection :( I can't believe I got hit again. One of my old pages that is no longer linked into the website didn't have a cfqueryparam.. I deleted it from my local machine but forgot to delete it from the server. I have a generic checker in my cfapplication, but it missed this one.. here is the sequence of events: 1. They tried this on thousands of pages and found 1 where it worked.. (i am leaving off the domain name and page. This is just the query string.) ?item=471+or+1=(%73%65%6C%65%63%74+DATA_TYPE+FROM+INFORMATION_SCHEMA.COLUMNS +WHERE+TABLE_NAME=char(080)%2Bchar(97)%2Bchar(121)%2Bchar(80)%2Bchar(97)%2Bc har(108)+AND+COLUMN_NAME=char(080)%2Bchar(97)%2Bchar(105)%2Bchar(100)%2Bchar (100)%2Bchar(97)%2Bchar(116)%2Bchar(101))- 2. for every table in the database, they did this: It was automated because it happened in a few seconds.. item=471+update+dvds+set+fname1=SUBSTRING(fname1,0,CHARINDEX(char(60)%2Bchar (116)%2Bchar(111)%2Bchar(116)%2Bchar(62),cast(fname1+as+varchar(8000)))-0)-- it came from one ip address: 94.102.52.27 in the netherlands. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333008 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
