Re: sql injection attempt
Yes indeed. We had some attempts to injection attack via a fake useragent variable in the CGI scope, as we were logging visiting useragents in a database table. Luckily they were not able to execute any code thanks to tight SQL permissions, but the code they were trying to execute was written to the table. I'd not even thought of that method till we saw it. But something to have an eye on. Regards, Ian. On 23/01/2013 19:09, Pete Freitag wrote: On Wed, Jan 23, 2013 at 12:57 PM, Rob Voylerobvo...@voyle.com wrote: Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Keep in mind that vulnerabilites can come from any input that the attacker can manipulate, eg form, url, cgi, cookie variables are all game. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354042 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Thanks Rob On 22 Jan 2013 at 11:12, Greg Morphis wrote: I saw some request errors but what were they trying to do? This is what the onRequest error email showed declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag= houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:35 3998 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354030 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
It was attempted via the URL On Wed, Jan 23, 2013 at 11:57 AM, Rob Voyle robvo...@voyle.com wrote: Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Thanks Rob On 22 Jan 2013 at 11:12, Greg Morphis wrote: I saw some request errors but what were they trying to do? This is what the onRequest error email showed declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag= houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:35 3998 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354031 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
On Wed, Jan 23, 2013 at 12:57 PM, Rob Voyle robvo...@voyle.com wrote: Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Keep in mind that vulnerabilites can come from any input that the attacker can manipulate, eg form, url, cgi, cookie variables are all game. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354032 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
That's hex for, ?WAITFOR DELAY '00:00:15' On Tue, Jan 22, 2013 at 11:12 AM, Greg Morphis gmorp...@gmail.com wrote: 0x57414954464F522044454C4159202730303A30303A313527 -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353999 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
Ah so they were just checking to see if they could get something to work before possibly trying anything real. Thanks! On Tue, Jan 22, 2013 at 11:15 AM, John M Bliss bliss.j...@gmail.com wrote: That's hex for, ?WAITFOR DELAY '00:00:15' On Tue, Jan 22, 2013 at 11:12 AM, Greg Morphis gmorp...@gmail.com wrote: 0x57414954464F522044454C4159202730303A30303A313527 -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354000 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
Ah so they were just checking to see if they could get something to work before possibly trying anything real. That's a pretty standard approach. If they can get the response to delay then they can mark that URL as a potential entry point to come back and explore more later. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354001 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm