0

Assuming ColdFusion 10,0,13,287689 and Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production.

With this example...

<cfquery name="q" datasource="ds"> update someTable set #form.col#label = <cfqueryparam cfsqltype="cf_sql_varchar" value="#x#"> where id = <cfqueryparam cfsqltype="cf_sql_decimal" value="#id#"> </cfquery>

Also assuming there is no data validation checking on #form.col#, how could this be exploited? Obviously they could cause the query to fail with an invalid column, but I don't see any way something more malicious could be done since multiple statements cannot be ran in a single <cfquery>. So something like this does not work...

#form.col#:

id = 1; delete from users; --comment everything else out...

I'm aware that with SELECTs it's easier to exploit using unions to get data you're not authorized to see, but I'm curious about this specific update statement.

Improve this question
14
  • 1
    codereview.stackexchange.com Commented May 16, 2014 at 16:07
  • 3
    This question appears to be off-topic. I'm moving it to codereview.stackexchange.com. Commented May 16, 2014 at 16:08
  • 1
    "since multiple statements cannot be ran in a single cfquery" - except for the times when they can? Commented May 16, 2014 at 16:23
  • 1
    last time I checked, multiple statements in a single cfquery was only possible with mysql and sql server. That was a few years back though. Commented May 16, 2014 at 16:56
  • 1
    One example: pass the col variable as something like: public_column = (SELECT badly_encrypted_password FROM users WHERE username='admin' ), <original_value> - then a later SELECT can be used to obtain the hash for the attacker to bruteforce/etc. Commented May 16, 2014 at 17:35

1 Answer 1

Reset to default
5

Whilst the traditional example for SQL injection involves sequential SQL statements, that is only a simple example used to highlight the issue - if unprotected user-derived text is allowed anywhere in any query there's a chance an attacker will be able to make use of it.

In this specific example, your query is:

update someTable set #form.col#label = ? where id = ?`

To abuse that is simple - prefix a genuine col value with something like:

public_column = (SELECT badly_encrypted_password FROM users WHERE username='admin' ), <orig_value>

The resultant SQL is then:

update someTable set public_column = ( SELECT badly_encrypted_password FROM users WHERE username='admin' ) , <orig_value>label = ? where id = ?`

Which of course sets the value of that column to the result of the sub-query, and then a separate select in another area would then innocently return the sensitive data.

Alternatively, an attacker may decide simply to deface/remove data using this method, and depending on what precisely Oracle's SQL syntax allows, other things might be possible.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Is there a way to protect against this other than doing a whole bunch of data validation on the form.col?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.