sql injection & cfqueryparam
ol...@ansit.no
Injecting SQL was no problem.
C:\www\RshFB\model\reactordata\Record\RSH_TD_MELDINGRecordoracle.cfc @
17:37:16.898
name qUpdateMeldingsFeil
statement update rsh_td_melding_feil
set statusteller = 6 + 1
WHERE LOGID2='OL' or 1=1--'
and statusteller = 0
datasource RSHT
record count 0
execution time 125ms
Doug Hughes
Doug Hughes, President
Alagad Inc.
dhu...@alagad.com
888 Alagad4 (x300)
Direct: 651 Alagad4 (651-252-4234)
Fax: 888-248-7836
--
You received this message because you are subscribed to the Google Groups "Reactor" group.
To post to this group, send email to reacto...@googlegroups.com.
To unsubscribe from this group, send email to reactor-user...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/reactor-users?hl=en.
Chris Blackwell
Chris Blackwell
ol...@ansit.no
data before it was posted to the server.
. . .
CBLOGID___logger_177_0000000000596373=on&CBLOGID___logger_177_0000000000596365=on&CBLOGID___logger_177_0000000000596375=on&CBLOGID___logger_177_0000000000596542=on&CBLOGID___logger_177_0000000000596545=on&CBLOGID___%27%7C%7C+UTL_HTTP.REQUEST%28%27ttp%2F%27%29+--=on
[Macromedia][Oracle JDBC Driver][Oracle]ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1577 ORA-12545: Connect failed because
target host or object does not exist ORA-06512: at line 1
. . .
This is what we used to generate the SQL posted in the prevoius mail.
<cfoutput>
<cfloop collection="#attributes#" item="fldName">
<cfset RtdRecord = ''>
<cfif left(fldName,10) eq 'CBLOGID___'>
<cfset RtdRecord =
Application.Reactor.createRecord("RSH_TD_MELDING").init() />
<cfset RtdRecord.load(Logid="OL' or 1=1--") />
<cfset RtdRecord.normalResend() />
<cfset RtdRecord.save() />
<cfabort>
</cfif>
</cfloop>
</cfoutput>
reactor-user...@googlegroups.com<reactor-users%2Bunsu...@googlegroups.com>
ol...@ansit.no
How could I ever suspect the framework for nor using the <cfqueryparam>
tag.
Chris Blackwell is absolutely correct. The RSH_TD_MELDINGRecordoracle.cfc
is modified.
Sorry for wasting your valuable time.
On Tue, 12 Jan 2010 17:01:14 +0000, Chris Blackwell <ch...@team193.com>
wrote:
> og hang on..
> If that query was executed in the [Object]Record*oracle*.cfc then it must
> be
> one you've written yourself..
> does your query have <cfqueryparams> in ?
>
> 2010/1/12 <ol...@ansit.no>
>
>> Doesn’t Reactor use the <cfqueryparam> tag when it generates SQL?
>> Injecting SQL was no problem.
>>
>> C:\www\RshFB\model\reactordata\Record\RSH_TD_MELDINGRecordoracle.cfc @
>> 17:37:16.898
>>
>> name qUpdateMeldingsFeil
>> statement update rsh_td_melding_feil
>> set statusteller = 6 + 1
>> WHERE LOGID2='OL' or 1=1--'
>> and statusteller = 0
>>
>> datasource RSHT
>> record count 0
>> execution time 125ms
>>
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Reactor" group.
>> To post to this group, send email to reacto...@googlegroups.com.
>> To unsubscribe from this group, send email to
>>
reactor-user...@googlegroups.com<reactor-users%2Bunsu...@googlegroups.com>
Doug Hughes
Doug Hughes, President
Alagad Inc.
dhu...@alagad.com
888 Alagad4 (x300)
Direct: 651 Alagad4 (651-252-4234)
Fax: 888-248-7836
To unsubscribe from this group, send email to reactor-user...@googlegroups.com.