Well I just tried a query using :
~`:;!@#$%^&*()_+{}]\|'"?/,.<>
Which is every punctuation character except '[' and it worked fine...
Although if there is an algorithm that involves a PreserveSingleQuotes()
function then a single quote will usually break it.
I image the square braces are used to define some sort of SQL function...
any SQL gurus out there to confirm this?
It would be something to watch out for... because if a hacker submits a '['
to your query and sees the debug code, they find out valuable information
about the structure of your query, and the name of your datasource. Or else
it may be possible to get the SQL to do things that you don't want it to do
if they put code within the square braces.... best to replace them out
before the CFQUERY.
I was reading somewhere recently that it was bad form (haha) to put
submitted variables directly into an SQL statement, I guess this is why.
seeya!
-----Original Message-----
From: Arden Weiss [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 7 June 2001 11:15 AM
To: CF-Talk
Subject: RE: Hack Advice - Break a CF Query
Sneeky -- but good to know -- did you also try other puncuation type
characters???
^
/ \__
( @\___
/ O
/ (_____/
/_____/
Whoof...
410-757-3487
-----Original Message-----
From: Ryan Sabir [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, June 06, 2001 9:03 PM
To: CF-Talk
Subject: RE: Hack Advice - Break a CF Query
Haha worked it out..
I initially was a bit stumped as to what you wanted and then I worked it
out.. and then was intrigued trying to break ODBC by submitting something...
try this...
submit a [ (open square bracket) to the query, that should break it.. not
sure why though....
seeya!
-----Original Message-----
From: Allen Hudson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 7 June 2001 6:35 AM
To: CF-Talk
Subject: Hack Advice - Break a CF Query
My application is hosted with inhouse government hosting. Therefore I don't
have access to the CF server or easy access to my sites pages. The only
thing I have control over on a less than 4 week notice is uploading a new
database. (Flintstone-ville)
However, there seems to always be a lock on the database (access 97) such
that I cannot upload when I want. I have created a dbunlock.cfm page to
upload (runs a query that throws an error that will unlock the db) with our
scheduled site upgrade in about 4 weeks.
In the meantime, it occurs to me I could run an html page offsite
(workstation) and submit it to the live page with some code that would throw
an error. Does anyone know of some code that would do that?
Query on live site page:
<CFQUERY name="getinfo" datasource="mine">
SELECT BASEINFO, BASE, VCODE
FROM ROTARY
WHERE BASEINFO = '#FORM.INFO#'
</CFQUERY>
TYIA
Allen Hudson
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
