[thelist] The URL SemiColon Exploit

.jeff jeff at members.evolt.org
Wed Jan 16 12:27:00 CST 2002


matt,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Warden, Matt
>
> <cfquery name="foo" datasource="#bar#>
> 	SELECT foo, bar
> 	FROM fubar
> 	where rudy=#url.rudy#
> </cfquery>
>
> Looks harmless, right?
>
> If the URL is http://mydomain.com/hax0rz.cfm?rudy=12
> then foo's SQL would be:
>
> SELECT foo, bar
> FROM fubar
> where rudy=12
>
> Like I said, harmless, right?
>
> Well, consider a URL like this:
>
> http://mydomain.com/hax0rz.cfm?12;DROP%20TABLE%20fubar
>
> Now, foo's SQL would be:
>
> SELECT foo, bar
> FROM fubar
> where rudy=12;DROP TABLE fubar
>
> a semicolon separates sql statements, so this is
> really two statements:
>
> SELECT foo, bar FROM fubar where rudy=12
> DROP TABLE fubar
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

this is easily solved in this instance by wrapping the variable with the
Val() function which will force the value to a number.

<cfquery name="foo" datasource="#bar#>
  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = #Val(url.rudy)#
</cfquery>

now foo's sql, for either of the url's above, would be:

  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = 12

fwiw, this isn't an issue, in most cases, with queries that use string
values rather than numeric values.  that's because cf server automatically
escapes single-quotes by doubling them up and thereby making the hacked sql
in the passed string part of the text value.  take this query as an example:

<cfquery name="foo" datasource="#bar#>
  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = '#Trim(url.rudy)#'
</cfquery>

now suppose we were referencing it via a url like so:

http://mydomain.com/hax0rz.cfm?rudy=r937

the resulting sql would be:

  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = 'r937'

let's say a script kiddie was going to try to drop the fubar table by
messing with the url and ending up with something like one of these:

http://mydomain.com/hax0rz.cfm?rudy=r937;%20DROP%20TABLE%20fubar

will result in:

  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = 'r937; DROP TABLE fubar'

which is harmless.

or (notice the lone single-quote in the url):

http://mydomain.com/hax0rz.cfm?rudy=r937';%20DROP%20TABLE%20fubar

will result in:

  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = 'r937''; DROP TABLE fubar'

which is also harmless.

so, the lesson to be learned is that so long as you write tight code and
enforce expected datatypes, you shouldn't have any problems with the
semi-colon exploit.

good luck,

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/







More information about the thelist mailing list