blind sql injection vulnerability on scan
Any suggestions on how to remedy the vulnerability of injection sql blind? The page didn't include SQL, but the conclusion said
Using the HTTP GET method, Nessus concluded that: the following resources may be vulnerable to the blind SQL injection (time based):
"The page of the store.cfm CGI parameter.
Store.cfm? Country = 0 & dodaac = N & page = case_lot_dates; Select % 20pg_sleep (3);
When I run the above code, does nothing but display the site's error page. I don't think I can explain it as a 'false positive '. These URL (country, dodaac, page) values are not user input. The values are static. I knew not to try to use the urlencodedformat method to eliminate it.
We are using CF9 in production but will CF11 which dev and test. Any suggestions are greatly appreciated. Thank you.
What you need to do is to make sure that what you expect is what you found. If that does not manage correctly and do not let just go to an error handler.
-Dave
Tags: ColdFusion
Similar Questions
-
Hello
My site has been pulled down by the host. They sent me the following message is displayed:
"We got information that there is injection of SQL code on our server and when we draw the injection point is for your domain. '.
This is the type of attack:
SQL generic sql update injection attempt - GET, SQL union select parameter - possible sql injection attempt - GET parameterThat's why we need to disable your Web site for temporary.
Please, scan your PC and the Web site of local files and make sure that your local files from PC and the site Web is virus-free.
If you have you analyze local files on PC and the website also make sure that there is no virus please update this post once again.
So we can reactivate your website. »Anyone know what I use for scanning for this please?
Thank you
Apple hosts your Web site?
-
Hello all-
I have a server with a large number of ColdFusion templates (out of 10,000) I need really to protect agains SQL Injection.
I know that CFQUERYPARAM is the best way to do it. I would like to do this way, but with so many pages and so many requests that it would take weeks/months to resolve queries, perform a test to ensure that something I don't screw up.
So, I came up with a plan that I wanted to get feedback on.
Currently, I have a page on my server included in almost every page that is running. It's a simple page that I can edit to change the State of my system in the case of a change in database, or another kind of failure. (Pages are still running, but no update is allowed, read-only)
Okay, so on this page which is always included, I thought to analyze the variables that come more. I was thinking about looking for things that looked like a SQL injection attack and blocking of the page of the race.
I wanted to know if this could work someone ' a has any ideas? It would be great because I could protect the entire server in about an hour. But I don't want to give me a false sense of security if it really won't do the job.
First of all, here are a few simple things you can do to protect all pages before you follow the other tips and plans in this thread:
- In the CF administrator, click your data sources, click the button "Advanced".
It, you you uncheck everything except the read and stored procedure and (optionally) write permissions. 'Drop', 'Create', etc., are defined n - n here. - If you haven't already done so, make a data source-read only permissions and refactor your code to use it everywhere with the exception of the deletions, insertions and updates carefully separated.
- Now, in SQL Server, remove all the permissions of the users who used with the exception of data_reader and (selective) writing data and exec on procedures or functions that you use.
- In SQL server, configure at least two users of CF. We, should have only the permission of data_reader (more than read-only stored procedure).
- Find articles, like this one: http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.aspand follow their advice, start by locking xp_cmdshell.
These measures require the CF code changes little or not, but will be blocking all but the most determined and skilled hackers. You should always follow the advice of good Adam.
BTW, Dan is very bad, ALL DB are vulnerable to code SQL injection.
SQL server is not the most vulnerable (studies show that Oracle now has this "honour"). - In the CF administrator, click your data sources, click the button "Advanced".
-
Insert data to DB avoiding code SQL injection
Hello
I used the following method to insert data to DB
(1) I had a 'DB-Helper class' and that I have the following function
void dbHelper::createOrUpdateRecord(const QString Insertquery) { QSqlDatabase database = QSqlDatabase::database(); QSqlQuery query(database); query.prepare(Insertquery); if (query.exec()) { alert(tr("Record created")); } else { const QSqlError error = query.lastError(); alert(tr("Create record error: %1").arg(error.text())); } database.close(); }
(2) where I want to insert data to DB I created the query to insert the string and pass the string as a parameter to the function above
createOrUpdateQuery =("INSERT INTO tutorial (title,titleArabic,shortDesc,shortDescArabic,description,descriptionArabic,externalLink,tutorialId,isActive) VALUES(\"" + map.value("title").toString() + "\", \"" + map.value("titleArabic").toString() + "\",\"" + map.value("shortDesc").toString() + "\",\"" + map.value("shortDescArabic").toString() + "\",\"" + map.value("description").toString() + "\",\"" + map.value("descriptionArabic").toString() + "\",\"" + map.value("externalLink").toString() + "\",\"" + map.value("tutorialId").toString() + "\",\"" + map.value("isActive").toString() + "\" )"); } dbHelp.createOrUpdateRecord(createOrUpdateQuery);
I read that this method also causes Sql Injection.And using this method we can insert only string as data values.
My question is:
I read that the best method to insert data using "bind." So, if Iam trying to use the 'bind' method then I won't be able to make integration to db as a generic function. Is this possible. Please help me to do the insertion of data in db as a generic fn
I didn't test this, but it might give you an idea:
sql = "INSERT INTO tutorial (title,titleArabic,shortDesc,shortDescArabic,description,descriptionArabic,externalLink,tutorialId,isActive) " + "VALUES(:title, :titleArabic, :shortDesc, :shortDescArabic, :description, :descriptionArabic, :externalLink, :tutorialId, :isActive)" createOrUpdateRecord(sql, map); void dbHelper::createOrUpdateRecord(const QString Insertquery, QMap
paramMap { QSqlDatabase database = QSqlDatabase::database(); QSqlQuery query(database); query.prepare(Insertquery); QMap -
IPS detects SQL Injection on HTTPS
Hello
Do you think Cisco IPS is able to detect the SQL Injection via HTTPS?
"In some situations, it may be possible to detect and prevent SQL injection attacks by using a system of prevention of intrusion (IPS). For an IPS to be effective, it must have visibility into the application traffic. "For applications that use encryption end-to-end with HTTPS (for example, applications that use the HTTPS protocol without termination or of the acceleration to an intermediate network device), an IPS can not identify the traffic with the characteristics of a SQL injection attack." by:
-
Hi all
I Googled it but couldn't make sure answer. Please someone help me to know about The SQL INJECTION with good example.
Thank you very much
Same Questions a few days before
See this too
I recommend you to study how to write the code evidence sql injection
-
explain sql injection?
When you use the use SQL bind variable dynamics and forget to SQL Injection. Here's a simple example.
SQL > create or replace procedure bad_procedure
() 2
3 p_ename in varchar2,
4 p_retval of the sys_refcursor
5)
6 is
7. start
8 open p_retval for
9 q'[select * from emp where ename = ']' | p_ename | q'[']';
10 end;
11.Created procedure.
SQL > show err
No errors.SQL > create or replace procedure good_procedure
() 2
3 p_ename in varchar2,
4 p_retval of the sys_refcursor
5)
6 is
7. start
8. open p_retval
9 for
' 10 q'[select * from emp where ename =: 1] "using p_ename;
11 end;
12.Created procedure.
SQL > show err
No errors.SQL >
SQL > var refcursor rc
SQL >
SQL > exec bad_procedure (q'[' or 1 = 1-]',: rc)PL/SQL procedure successfully completed.
SQL > print rc
EMPNO, MGR, HIREDATE, SAL COM EMPLOYMENT ENAME
---------- ------ --------- ---------- --------- ---------- ----------
DEPTNO ID
---------- ----------
7369 SMITH COMMITTED 7902 2975 2 APRIL 81 0
207499 ALLEN SALESMAN 7698 1600 20 FEBRUARY 81 300
307521 WARD SALESMAN 7698 1250 22 FEBRUARY 81 500
30EMPNO, MGR, HIREDATE, SAL COM EMPLOYMENT ENAME
---------- ------ --------- ---------- --------- ---------- ----------
DEPTNO ID
---------- ----------
7566 JONES MANAGER 7839 2975 2 APRIL 81 0
207654 MARTIN 7698 1400 1250 28 - SEP - 81 SALESMAN
307698 BLAKE MANAGER 7839 2850 MAY 1, 81 0
30EMPNO, MGR, HIREDATE, SAL COM EMPLOYMENT ENAME
---------- ------ --------- ---------- --------- ---------- ----------
DEPTNO ID
---------- ----------
7782 CLARK MANAGER 7839 2450 JUNE 9 81 0
107788 SCOTT ANALYST 7566 3000 APRIL 19, 87 0
20PRESIDENT OF 7839 17 NOVEMBER KING 81 5000 0
10EMPNO, MGR, HIREDATE, SAL COM EMPLOYMENT ENAME
---------- ------ --------- ---------- --------- ---------- ----------
DEPTNO ID
---------- ----------
7844 TURNER 7698 08 - SEP SALESMAN - 81 1500 0
307876 ADAMS CLERK 7788 1100 MAY 23, 87 0
2011 selected lines.
SQL > exec good_procedure (q'[' or 1 = 1-]',: rc)
PL/SQL procedure successfully completed.
SQL > print rc
no selected line
SQL >
You can see that when using no variable binding, I could inject my own SQL in the procedure and get output that I shouldn't have to get.
Note: Example above is just to reproduce the SQL Injection. You actually do not have dynamic SQL to achieve this.
-
SQL injections. If I use Muse are these impossible?
If I use Muse to design my new website is it still possible to be hack by someone using injections of SGL?
Hello
in case you still need to answer,
SQL injection is majorly attacked sites when it comes to DB. Up to now, Muse generates static sites, means no interaction with the database or not dynamic content. You need to export the site in html format, then make changes in the code, if you want to include a database or any other dynamic content. Once you do this, you can try the firewalls and detection mechanisms similar intrusion that offer little defense against web attacks on a large scale.
I hope this helps.
-
Hello!
I work apex (call APEX_PLSQL_JOB), which is located in the WEB page defined as:l_sql := 'BEGIN some_proc('
It's security (SQL injection point) issue that coul be solved as:
|| l_actions_diary_id
||','
||:P305_ACTIVE_PERIOD
||','''
||:APP_USER
||''','
||:APP_ID
||','
||:G_XE_APP_ID
||'); END;'
;
l_retval := APEX_PLSQL_JOB.SUBMIT_PROCESS (p_sql => l_sql);l_sql := 'BEGIN some_proc('
but then no variable (: P305_ACTIVE_PERIOD,: APP_USER,: APP_ID,: G_XE_APP_ID) will be analyzed with their true values!
|| l_actions_diary_id
||',:P305_ACTIVE_PERIOD, :APP_USER, :APP_ID, :G_XE_APP_ID);END ;'
;
What is the best security for such a case?
RG,
DamirThe most simple and rather safe, is approach using DBMS_ASSERT as already said.
Here's what your modified code will look like
l_sql := 'BEGIN some_proc(' || l_actions_diary_id || ' DBMS_ASSERT.ENQUOTE_LITERAL('||:P305_ACTIVE_PERIOD)||'),'|| ' DBMS_ASSERT.ENQUOTE_LITERAL('|| :APP_USER||'),'|| ' DBMS_ASSERT.ENQUOTE_LITERAL('|| :APP_ID||'),'|| ' DBMS_ASSERT.ENQUOTE_LITERAL('|| :G_XE_APP_ID||') );END ;' ;
The actual values of the articles just so get by what Suits.
With this approach, you don't have to worry about is_numeric If your proc/function with parameters defined as numbers Oracle performs implicit conversions.
Kind regards
-
prevent sql injection in the transition from input parameter
Dear expert;
I was advice not not programmed that way due to the fact, it could cause a SQL injection. Therefore, what is the alternative for below. It must be a function that returns a ref cursor See my below syntax
any help is appreciated. Thank you.create or replace package test as type list_cur is ref cursor; function lists_needed(p_class varchar2) return list_cur; end test; create or replace package body test as function lists_needed(p_class varchar2) return list_cur is my_list_cur list_cur; begin open my_list_cur for select id from tbl_one t where t.id like (p_class) || %; return my_list_cur; end lists_needed; end test;
SQL injection requires a dynamic code. I don't see how it could happen in this code or the example in your other thread.
-
Prevents SQL injection - cannot use cfqueryparam in this case
Hello. I have a form with a checkbox next to each line. If the user checks certain boxes, then click on the "Delete" button, I want to run the following query, but I want to protect from sql injection attacks:
< cfquery datasource = "#application.mainDS #" >
Remove userMessages
where messageID in (#form.messageID #)
< / cfquery >As written above, it works fine. But if I try to protect this code with < cfqueryparam value = "" #form.messageID # "cfsqltype ="cf_sql_varchar">, I get this error:"Conversion failed when you convert the value '7.21' int data type varchar"(7 and 21 are the messageID to delete)." Of course the comma prevents the conversion of an integer.
If I use cfsqltype = "cf_sql_integer", the string is converted to a single integer (in this case 40015, which is nonsense).
I tried from form.messageID to a stored procedure, but I seemed to have the same problem here. I was able to execute the query in a loop where I just want to remove a line at a time, but I want run a query if I can do it safely. Any ideas?
Thank you.
PK
You just need to add the 'list' attribute to cfqueryparam to indicate that the 'value' contains multiple messageID.
-
How to escape text in the query pattern to avoid the SQL Injection
We plan to use Oracle Text to search for in a Java web application and use a query template as shown below, but are concerned about SQL Injection attacks. In general, we use a parameter query, but that does not seem possible with these search patterns. Is there advice or recommended to avoid SQL Injection when using query patterns - what characters need to be escaped or cleaned the entry user, etc? Or is there another approach to query patterns which does the same thing, but can use the settings?
Select (1) score, my_id from my_table where CONTAINS (search_dummy,
' < query >
< textquery lang 'grammar' = 'CONTEXT' = > dangerous search terms
< progress >
< seq > < rewriting > transform ((JETONS, "${", "}","")) < / rewrite > < / next >
< seq > < rewriting > transform ((JETONS, "${", "}",";")) < / réécrire > / suiv >))
< seq > < rewriting > transform ((JETONS, "${", "}", "AND")) < / rewrite > < / seq >
< seq > < rewriting > transform ((JETONS, "${", "}", "ACCUM")) < / rewrite > < / seq >
< / progress >
< / textquery >
< score datatype = "INTEGER" algorithm = "COUNT" / >
(< / query > ', 1) > 0
ORDER BY SCORE (1) DESC;
Thanks in advance for any help or advice!You should be able to put the entire query to the CONTAINS clause argument in a variable binding. Prevent SQL injection. It is possible they could do 'contains the injection' and perform research of the else clause contains this as your intention, but unless you are relying on a part of contains the clause to implement security, that shouldn't be a problem.
-
Good night:
I'm trying to understand the use of oracleparameters in VB .net 2008. It is said that his goal is to avoid sql injections, but as far as I know Oracle throws an exception whenever you use one; so I guess that it is not possible to inject the malicious sql for oracle.
Anyone know if this is possible and how a sqlinjection to Oracle using a .net ado command?.
Thank youSection understand SQL Injection Attacks in a .NET Application on the Oracle database security: http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_masteringdotnet.html shows examples in VB .net.
-
Reduce code SQL injection when forced to use substitution variables, as
The 3rd party software that I use has exactly a way to allow users to specify execution settings: the Substitution variables.
The scripts are executed using SQL * more. I'm looking for ways ensure this.
Please, don't say "do not use substitution variables" - read above, it is the only way this software works.
My first thought was something like this:
It's no good. What happens if the user specifies "X"; ". run immediately "drop table sometable" then we getvar myvar varchar2(30) exec :myvar := '&user_input';
Once again, not good.exec :myvar := 'X'; execute immediate 'drop table sometable';
I thought that perhaps something like the following would work:
but then again, a malicious user could specify "'); run immediately "drop table sometable"; dbms_assert. NOOP('")exec :myvar := dbms_assert.noop('&user_input');
I'm open to suggestions.
What can I do to clean up the substitution variables?
Thank you!
Edited by: Yes on 30 January 2013 15:02If your attacker is able to enter a value for this parameter substitution is too late to worry.
It can stop the execution of the script and enter a code of maliciious he wants. Or I missed something? -
How to detect the SQL type to avoid SQL injection
Hello
I work in a company of gsm and we develop a program for analysis of trends. Users of this program can write SQL statements. I want to write sql statements specific as my program input statement (SELECT... from...). Instructions to SELECT most. I have dynamic SQL and PL/SQL blocks in my program. I get user-defined SQL statements and execute dynamic Sql code.
Here's the problem: I need to understant what type of SQL, they give as my program input parameter to avoid wrong operations (DELETE, TRUNCATE, DROP...)
First of all I thought to the RegExp to understant if a SELECT SQL or SQL DELETE...
Is there a recommended on this problem? Oracle has any procedure to detect?
Thank youHi a_yavuz,
We had to solve the same problem while we work a project that receives user sql statements, we check the sql as follows:
lb_bool: = regexp_like (upper (pv_sql),'^ (-() * *(SELECT|))) (WITH)');
Maybe you are looking for
-
Envoy 7640: how to disable daily Puzzle be faxed to me
My kid somehow switched on this and I have no idea how turn it off... It was one of the items that came with the printer and I spent at the latimes and found nothing to turn it off... Thanks in advance...
-
lost internet ex icon on the desk top How do I get it back?
I was cleaning place the unused icons table. accidentally, got rid of my ion for internet explore. How can I get it back?
-
Upgrade to vista SP2 and now a driver does not work properly, and my web cam does not work
What driver update I have to install after installing windows XP SP2. Can I install it from microsoft or the manufacturer of my computer, HP?
-
Last week I bought Adobe Acrobat Pro XI - it does not work - I can access the forms - but I can't access the Basic program - reps tech worked on it for a long period of time last week and now I can't even open the Basic program. Frustrated2 weeks as
-
Someone would be willing to create an animation for me in After Effects?
I have an art exam next week and I'm from video using "Adobe Premiere Pro" editing. But before that, I think it would be nice to have an introduction. I was wondering if someone could do something similar to the introduction in this short film: CANAD