SQL Injection attacks are usually just one little possibility an attacker tries as fast and as many places as they can hoping one of them will give up the goods.
That one in particular looks like they are banking on forcing their own parameterized query input comparison. If they can break your query's parsing logic and declare their own parameter point 1 then they can supply a test case version in say the form scope they may be thinking you are using directly in the code, and comparing that to your database's @@version information. Probably the hope for the attacker is query would run something like (the @@version output doesn't really look like my example, but the idea is the same): select * from table where ( ... "Microsoft SQL Server 2000 build 1234, Windows Server 2003 SP1"=@@version) -- and def = whatever) At this point they know what you are running if the query successfully executed, and probably try some known exploits for that platform. Luckily this isn't something to worry about when you parameterize your queries, since that input will not be executable query constructs. On Fri, Nov 18, 2011 at 11:05 AM, Phillip Vector <[email protected]>wrote: > > Well, if it wasn't cfqueryparam, I don't see any issues in the SQL > that would cause ... anything. > > Am I missing something here? If it wasn't scrubbed, what would it do? > > On Fri, Nov 18, 2011 at 9:02 AM, Wil Genovese <[email protected]> > wrote: > > > > No clue what they are after, but I have been seeing that in my error > notification alerts the week. Good old cfqueryparam has been working like > a charm! > > > > > > > > Wil Genovese > > Sr. Web Application Developer/ > > Systems Administrator > > CF Webtools > > www.cfwebtools.com > > > > [email protected] > > www.trunkful.com > > > > On Nov 18, 2011, at 10:57 AM, "Claude Schnéegans <schneegans"@ > internetiq.trunkful.com wrote: > > > >> > >> Hi, > >> > >> Since a few days, I have all my sites receiving requests in which a > string like "/**/or/**/1=@@version)--" is added in the URL. > >> > >> Has someone any idea what this guy is actually trying to do ? > >> > >> > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348822 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
