[thelist] The URL SemiColon Exploit
Warden, Matt
mwarden at mattwarden.com
Wed Jan 16 00:01:03 CST 2002
On Jan 15, Dan Slater had something to say about [thelist] The URL...
...
>In case you didn't know, there's a way to pass any SQL Server command via
>the URL by simply adding a semicolon at the end of the address, followed by
>the SQL command. Apparently it only works if you pass a URL parameter
>first. (example: mysite.com?thisVar=True)
If you're talking about what I THINK you're talking about, some things
need to be clarified.
The "exploit" is really due to some sloppy coding. For instance (and I'll
try to get this into CF syntax, but don't assume it's correct):
<cfquery name="foo" datasource="#bar#>
SELECT foo, bar
FROM fubar
where rudy=#url.rudy#
</cfquery>
Looks harmless, right?
If the URL is http://mydomain.com/733t/hax0rz.cfm?rudy=12
then foo's SQL would be:
SELECT foo, bar
FROM fubar
where rudy=12
Like I said, harmless, right?
Well, consider a URL like this:
http://mydomain.com/733t/hax0rz.cfm?12;DROP%20TABLE%20fubar
Now, foo's SQL would be:
SELECT foo, bar
FROM fubar
where rudy=12;DROP TABLE fubar
a semicolon separates sql statements, so this is really two statements:
SELECT foo, bar FROM fubar where rudy=12
DROP TABLE fubar
uh oh. your table's gone.
I usually have a function called sqlstring() (or, as sgd usually calls
his: ReplaceTicks()) that replaces all the bad sql characters with either
their escaped equivalents or with nothing at all (i.e. deleting that
character). i'm not sure how to do functions in CF, so I'll leave that up
to you. but, yeah, you were on the right track when you wanted to stop the
semicolon from being a part of your sql.
--
mattwarden
mattwarden.com
More information about the thelist
mailing list