Skip to main content
N
neilorourker
Participating Frequently
August 8, 2008
Question

SQL Injection attack

  • August 8, 2008
  • 9 replies
  • 2074 views
After an SQL injection attack I followed the advice to use cfqueryparam in my cfquery statements. Unfortunatley this does not seem to have worked as many records in my database have again been appended with scripts linking to javascript files on another website.

I haven't coded in Coldfusion in a while and would really appreciate it if someone could take a look at the code of one of my pages and let me know if I have missed anything or miss coded the cfqueryparam tag.

Thanks in advance

Neil
    This topic has been closed for replies.

    9 replies

    K
    khomel
    Known Participant
    August 14, 2008
    Don't forget to specify "type" in your cfparams as well. That will help as well.
    <cfparam name="url.imageid" default="0" type="numeric">
    A
    Anonymous
    August 13, 2008
    qateef,

    I think the regexp needs a few tweaks. First, there are carriage returns in your string which I believe need to be taken out. Second, the recent SQL injection attacks are using DECLARE/CAST/EXEC statements to use select/update statements that are encoded and would bypass the usual filters.

    This might work a little better.

    <cfset sqlregex = "(SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|(UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|(INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|(DELETE\sFROM\s[\d\w\'\=]+)|(DROP\sTABLE\s[\d\w\'\=]+)|(DECLARE\s@)">

    I saw a good blog entry with more detail on the actual exploit.

    http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCII

    Steve
      A
      Anonymous
      August 13, 2008
      Carlos,

      If you are using application.cfc then yes you will put the script inside the onRequestStart function. Don't forget to create an error page and call it messages.cfm.

      Good luck
      Mamdoh Alhabeeb
      A
      Anonymous
      August 11, 2008
      You can add the following code to your application file.

      <!--- CREATE SQL REGULAR EXPRESSION--->
      <cfset sqlregex = "
      (SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
      (UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
      (INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
      (DELETE\sFROM\s[\d\w\'\=]+)|
      (DROP\sTABLE\s[\d\w\'\=]+)">

      <!--- CHECK FORM VARIABLES --->
      <cfloop collection="#form#" item="formelement">
      <cfif isSimpleValue(evaluate(formelement)) AND refindnocase(sqlregex, "#evaluate(formelement)#")>
      <cflocation url="messages.cfm?message=Invalid Input. Possible SQL Injection attack.">
      <cfset StructClear(form)>
      <cfabort>
      </cfif>
      </cfloop>

      <!--- CHECK URL VARIABLES --->
      <cfloop collection="#url#" item="formelement">
      <cfif isSimpleValue(evaluate(formelement)) AND refindnocase(sqlregex, "#evaluate(formelement)#")>
      <cflocation url="messages.cfm?message=Invalid Input. Possible SQL Injection attack.">
      <cfset StructClear(url)>
      <cfabort>
      </cfif>
      </cfloop>

      Good luck
      Mamdoh

      P.S: The credit for the script go to sys-con.com
      D
      Dan_Bracuk
      Inspiring
      August 9, 2008
      cfqueryparam does many good things for you such as handling apostrophes and improving performance. I use it unless there is a reason not to.
      N
      neilorourkerAuthor
      Participating Frequently
      August 9, 2008
      Thanks for the fast and comprehensive responses. I am currently going through every template and updating each CFquery with 'cfqueryparam'.

      The code I attached is from the page which my hosting provider advised has been the access point of the attack

      I tried www.riagforge.com but it looks like website is down.

      Do I only need to update queries where a variable is passed in a URL or do also need use cfqueryparam for values submitted in a form?

      Thanks again
      K
      Kronin555
      Participating Frequently
      August 9, 2008
      You need to do it for variables submitted through a FORM as well. Absolutely anything that is coming from the browser (URL variables, FORM variables, and COOKIE variables) is untrusted. You have no guarantees that it is what you expect it to be, so you should treat it accordingly. This applies even if you're doing javascript validation of the fields prior to submission. Those validation checks can be bypassed.

      C
      cheftimo
      Inspiring
      August 10, 2008
      Hello,

      I have had to deal with a couple of these attacks in the last few weeks. I am adding cfqueryparam to all the queries where I can, as time allows.

      There are a couple of things I don't understand; perhaps somebody cares to explain:

      I have a completely clean backup of the database. This past week, when one of these attacks surfaced again, I restored the database from that backup. I have had to do it several times because the problem shows up again, sometimes half an hour after I restore, sometimes half a day after.

      One question is: does someone have to actually send in a form or modify a URL for this to happen? Or, is there some kind of "seed" somewhere in the web site that triggers this automatically? Or are there bots constantly visiting and injecting?

      One other question: the fields where the injection shows up are all text fields of varying lengths, to which the injected string is appended – in all cases, the cfsqltype="cf_sql_varchar". How is <cfqueryparam> going to help there?

      Any ideas would be highly appreciated.

      Carlos
      D
      Dan_Bracuk
      Inspiring
      August 8, 2008
      cfqueryparam will prevent sql from executing when it it submitted to your db. Depending on the datatype it will either cause a crash or simply get stored.

      Same thing with javascript. The problem will come when you select the record and display it. If it's on a web page, it will execute. If it's in a textbox or textarea, it will display.

      At least that's what I observed when doing my own testing.

      There are ways to handle this on a page by page basis. I don't know of any global methods you can put in your application.cfc file.
      N
      Newsgroup_User
      Inspiring
      August 8, 2008
      There is also a code on RIA Forge (www.riagforge.com) that will scan
      your code base for any <cfquery...> tags that do not use <cfqueryparam...>

      It just takes one missed vulnerable query for this attack to succeed and
      one successful attack infects your entire database because that attack
      uses the database itself to scan all the tables and columns and insert
      the payload.

      K
      Kronin555
      Participating Frequently
      August 8, 2008
      this isn't the page that is updating your database (except for the view count). you need to post the code that updates the table(s) that have been affected
      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices