Sunday, August 22, 2010

Cold Fusion article.cfm SQL injection

Hi,

This is another quick post. While browsing through the web and looking at specific pages that I wanted to test there was one website that had Cold Fusion 8 installed to manage content in it. I started playing with the pages and in less than 5 minutes of browsing a SQL injection pop up in front of me. At first I thought that this was only a programming problem on the web site that I was testing but after a digging a little bit more I find out that this is a persisten vuln in a lot of the cold fusion websites that you can find out there.

Now, this was already reported by someone as a problem before (I think it was reported in 2000) so I am not taking responsibility for its discovery and honestly this is so basic that who would like to take the responsibility for reporting this. If you want the details google. However, I wanted to post this article because it was amazing to me the number of sites that have this vuln . So here it comes:

Just look in google using the following query:

inurl:article.cfm

I will sugest that you also try not to touch .com sites and start with sites that are in other remote countries. Also try to test this on sites that use ssl so in case the site is monitored by an IDS or IPS it won't detect you.

The next thing that you have to do is identify all sites that are using something like this:

http://target/article.cfm?id=1

Next thing you know you can exploit a SQL injection or XSS just start playing after the parameter id. For example, the site that I was testing was really straight forward. Somthing like this:

http://target/article.cfm?id=1 UNION select 1,1,1,1,1,1,name from systables;--

And so on..

Have fun ;)

c4an.