SQL Injection attacks

Posted At : August 11, 2008 7:38 AM | Posted By : Admin
Related Categories: SQL Server

First thing to say about this subject is this: If you aren't using stored procedures and scoping your variables with cfprocparam or cfqueryparam (if you use a plain ol' query) then you are moments away from a SQL injection attack and a potential total loss of data.

This is especially true for CF server versions below 8 which do not have passive protection within the server. But since nothing is ever foolproof because fools are so ingenious, I have a quick and dirty fix that MIGHT help while you write those procedures and explicitly declare your params.

Drop this in your Application.cfm or in Application.cfc onRequest(): Shouts out to jaanaka in Salsbury NC who informed me of this great app written by Justin D. Scott of GravityFree(Updated 8/11/8)

<cfsilent>
      <!---
name: _SQLPrev.cfm
desc: Helps Prevent SQL Injection Attacks (CF5).
author: Justin D. Scott of GravityFree (jscott@gravityfree.com)
date: November 7, 2005
update: August 7, 2008
notes:

DIRECTIONS
Include this in the Application.cfm file to help prevent SQL injection attacks.
Compatible with ColdFusion 5 and may also work with ColdFusion MX. There is
an MX specific version at http://www.gravityfree.com/_sqlprev.cfm.txt.
If you update this code to be more effective, please send a copy of the changes
back to me so they can be implemented more widely.

DISCLAIMER
Justin Scott and GravityFree make no representation about the suitability or
accuracy of software or data for any purpose, and makes no warranties, either
expressed or implied, including merchantability and fitness for a particular
purpose or that the use of these software or data will not infringe any third
party patents, copyrights, trademarks, or other rights. The software and data
are provided "as is". Use at your own risk.

LICENSE
This code is hereby released into the public domain.
--->

<!--- E-Mail address for attack notifications --->
<cfparam name="request.errorEmail" default="me@yourdomain.com" />

<!--- On attack, TRUE to abort FALSE to redirect to rootURL --->
<cfparam name="request.errorAbort" default="FALSE" />

<!--- On attack, TRUE to notify via e-mail --->
<cfparam name="request.errorNotify" default="TRUE" />

<!--- Redirection URL --->
<cfparam name="request.rootURL" default="/" />

<cfscript>
// Default to nothing. variables.SQLPrev_Found = "";

// What are the SQL Keywords? variables.SQLPrev_Keywords = structNew();

// Populate the structure. structInsert(variables.SQLPrev_Keywords, "EXEC", "");
structInsert(variables.SQLPrev_Keywords, "ALTER", "");
structInsert(variables.SQLPrev_Keywords, "EXECUTE", "");
structInsert(variables.SQLPrev_Keywords, "PROC", "");
structInsert(variables.SQLPrev_Keywords, "ASC", "");
structInsert(variables.SQLPrev_Keywords, "FILE", "");
structInsert(variables.SQLPrev_Keywords, "PROCEDURE", "");
structInsert(variables.SQLPrev_Keywords, "AUTHORIZATION", "");
structInsert(variables.SQLPrev_Keywords, "BACKUP", "");
structInsert(variables.SQLPrev_Keywords, "RAISERROR", "");
structInsert(variables.SQLPrev_Keywords, "FOREIGN", "");
structInsert(variables.SQLPrev_Keywords, "FREETEXT", "");
structInsert(variables.SQLPrev_Keywords, "READTEXT", "");
structInsert(variables.SQLPrev_Keywords, "BREAK", "");
structInsert(variables.SQLPrev_Keywords, "FREETEXTTABLE", "");
structInsert(variables.SQLPrev_Keywords, "RECONFIGURE", "");
structInsert(variables.SQLPrev_Keywords, "BROWSE", "");
structInsert(variables.SQLPrev_Keywords, "REFERENCES", "");
structInsert(variables.SQLPrev_Keywords, "BULK", "");
structInsert(variables.SQLPrev_Keywords, "FULL", "");
structInsert(variables.SQLPrev_Keywords, "REPLICATION", "");
structInsert(variables.SQLPrev_Keywords, "FUNCTION", "");
structInsert(variables.SQLPrev_Keywords, "RESTORE", "");
structInsert(variables.SQLPrev_Keywords, "CASCADE", "");
structInsert(variables.SQLPrev_Keywords, "GOTO", "");
structInsert(variables.SQLPrev_Keywords, "RESTRICT", "");
structInsert(variables.SQLPrev_Keywords, "GRANT", "");
structInsert(variables.SQLPrev_Keywords, "RETURN", "");
structInsert(variables.SQLPrev_Keywords, "CHECK", "");
structInsert(variables.SQLPrev_Keywords, "GROUP", "");
structInsert(variables.SQLPrev_Keywords, "REVOKE", "");
structInsert(variables.SQLPrev_Keywords, "CHECKPOINT", "");
structInsert(variables.SQLPrev_Keywords, "HAVING", "");
structInsert(variables.SQLPrev_Keywords, "RIGHT", "");
structInsert(variables.SQLPrev_Keywords, "CLOSE", "");
structInsert(variables.SQLPrev_Keywords, "HOLDLOCK", "");
structInsert(variables.SQLPrev_Keywords, "ROLLBACK", "");
structInsert(variables.SQLPrev_Keywords, "CLUSTERED", "");
structInsert(variables.SQLPrev_Keywords, "IDENTITY", "");
structInsert(variables.SQLPrev_Keywords, "ROWCOUNT", "");
structInsert(variables.SQLPrev_Keywords, "COALESCE", "");
structInsert(variables.SQLPrev_Keywords, "IDENTITY_INSERT", "");
structInsert(variables.SQLPrev_Keywords, "ROWGUIDCOL", "");
structInsert(variables.SQLPrev_Keywords, "COLLATE", "");
structInsert(variables.SQLPrev_Keywords, "IDENTITYCOL", "");
structInsert(variables.SQLPrev_Keywords, "COLUMN", "");
structInsert(variables.SQLPrev_Keywords, "COMMIT", "");
structInsert(variables.SQLPrev_Keywords, "SCHEMA", "");
structInsert(variables.SQLPrev_Keywords, "COMPUTE", "");
structInsert(variables.SQLPrev_Keywords, "INDEX", "");
structInsert(variables.SQLPrev_Keywords, "SELECT", "");
structInsert(variables.SQLPrev_Keywords, "CONSTRAINT", "");
structInsert(variables.SQLPrev_Keywords, "INNER", "");
structInsert(variables.SQLPrev_Keywords, "SESSION_USER", "");
structInsert(variables.SQLPrev_Keywords, "CONTAINS", "");
structInsert(variables.SQLPrev_Keywords, "INSERT", "");
structInsert(variables.SQLPrev_Keywords, "SET", "");
structInsert(variables.SQLPrev_Keywords, "CONTAINSTABLE", "");
structInsert(variables.SQLPrev_Keywords, "INTERSECT", "");
structInsert(variables.SQLPrev_Keywords, "SETUSER", "");
structInsert(variables.SQLPrev_Keywords, "CONTINUE", "");
structInsert(variables.SQLPrev_Keywords, "INTO", "");
structInsert(variables.SQLPrev_Keywords, "SHUTDOWN", "");
structInsert(variables.SQLPrev_Keywords, "CONVERT", "");
structInsert(variables.SQLPrev_Keywords, "CREATE", "");
structInsert(variables.SQLPrev_Keywords, "JOIN", "");
structInsert(variables.SQLPrev_Keywords, "STATISTICS", "");
structInsert(variables.SQLPrev_Keywords, "CROSS", "");
structInsert(variables.SQLPrev_Keywords, "KEY", "");
structInsert(variables.SQLPrev_Keywords, "SYSTEM_USER", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT", "");
structInsert(variables.SQLPrev_Keywords, "KILL", "");
structInsert(variables.SQLPrev_Keywords, "TABLE", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT_DATE", "");
structInsert(variables.SQLPrev_Keywords, "LEFT", "");
structInsert(variables.SQLPrev_Keywords, "TEXTSIZE", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT_TIME", "");
structInsert(variables.SQLPrev_Keywords, "LIKE", "");
structInsert(variables.SQLPrev_Keywords, "THEN", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT_TIMESTAMP", "");
structInsert(variables.SQLPrev_Keywords, "LINENO", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT_USER", "");
structInsert(variables.SQLPrev_Keywords, "LOAD", "");
structInsert(variables.SQLPrev_Keywords, "TOP", "");
structInsert(variables.SQLPrev_Keywords, "CURSOR", "");
structInsert(variables.SQLPrev_Keywords, "NATIONAL", "");
structInsert(variables.SQLPrev_Keywords, "TRAN", "");
structInsert(variables.SQLPrev_Keywords, "DATABASE", "");
structInsert(variables.SQLPrev_Keywords, "NOCHECK", "");
structInsert(variables.SQLPrev_Keywords, "TRANSACTION", "");
structInsert(variables.SQLPrev_Keywords, "DBCC", "");
structInsert(variables.SQLPrev_Keywords, "NONCLUSTERED", "");

structInsert(variables.SQLPrev_Keywords, "TRIGGER", "");
structInsert(variables.SQLPrev_Keywords, "DEALLOCATE", "");
structInsert(variables.SQLPrev_Keywords, "TRUNCATE", "");
structInsert(variables.SQLPrev_Keywords, "DECLARE", "");
structInsert(variables.SQLPrev_Keywords, "NULL", "");
structInsert(variables.SQLPrev_Keywords, "TSEQUAL", "");
structInsert(variables.SQLPrev_Keywords, "DEFAULT", "");
structInsert(variables.SQLPrev_Keywords, "NULLIF", "");
structInsert(variables.SQLPrev_Keywords, "UNION", "");
structInsert(variables.SQLPrev_Keywords, "DELETE", "");
structInsert(variables.SQLPrev_Keywords, "UNIQUE", "");
structInsert(variables.SQLPrev_Keywords, "DENY", "");
structInsert(variables.SQLPrev_Keywords, "OFF", "");
structInsert(variables.SQLPrev_Keywords, "UPDATE", "");
structInsert(variables.SQLPrev_Keywords, "DESC", "");
structInsert(variables.SQLPrev_Keywords, "OFFSETS", "");
structInsert(variables.SQLPrev_Keywords, "UPDATETEXT", "");
structInsert(variables.SQLPrev_Keywords, "DISK", "");
structInsert(variables.SQLPrev_Keywords, "USE", "");
structInsert(variables.SQLPrev_Keywords, "DISTINCT", "");
structInsert(variables.SQLPrev_Keywords, "OPEN", "");
structInsert(variables.SQLPrev_Keywords, "USER", "");
structInsert(variables.SQLPrev_Keywords, "DISTRIBUTED", "");
structInsert(variables.SQLPrev_Keywords, "OPENDATASOURCE", "");
structInsert(variables.SQLPrev_Keywords, "VALUES", "");
structInsert(variables.SQLPrev_Keywords, "DOUBLE", "");
structInsert(variables.SQLPrev_Keywords, "OPENQUERY", "");
structInsert(variables.SQLPrev_Keywords, "VARYING", "");
structInsert(variables.SQLPrev_Keywords, "DROP", "");
structInsert(variables.SQLPrev_Keywords, "OPENROWSET", "");
structInsert(variables.SQLPrev_Keywords, "VIEW", "");
structInsert(variables.SQLPrev_Keywords, "DUMMY", "");
structInsert(variables.SQLPrev_Keywords, "OPENXML", "");
structInsert(variables.SQLPrev_Keywords, "WAITFOR", "");
structInsert(variables.SQLPrev_Keywords, "DUMP", "");
structInsert(variables.SQLPrev_Keywords, "OPTION", "");
structInsert(variables.SQLPrev_Keywords, "WHEN", "");
structInsert(variables.SQLPrev_Keywords, "WHERE", "");
structInsert(variables.SQLPrev_Keywords, "END", "");
structInsert(variables.SQLPrev_Keywords, "ORDER", "");
structInsert(variables.SQLPrev_Keywords, "WHILE", "");
structInsert(variables.SQLPrev_Keywords, "ERRLVL", "");
structInsert(variables.SQLPrev_Keywords, "OUTER", "");
structInsert(variables.SQLPrev_Keywords, "WITH", "");
structInsert(variables.SQLPrev_Keywords, "ESCAPE", "");
structInsert(variables.SQLPrev_Keywords, "OVER", "");
structInsert(variables.SQLPrev_Keywords, "WRITETEXT", "");

// Now check through the URL variables for possible SQL attacks. for (SQLPrev_Index1 in URL) {
// Bring in the URL value. variables.SQLPrev_Value = URL[SQLPrev_Index1];
// Find any of the keywords in this value. for (SQLPrev_Index2 in variables.SQLPrev_Keywords) {
if (findNoCase(SQLPrev_Index2, variables.SQLPrev_Value) and find(";", variables.SQLPrev_Value)) {
variables.SQLPrev_Found = "sql";
}
}
}

// Kill the temp struct with the SQL keywords. structClear(variables.SQLPrev_Keywords);

</cfscript>

<!--- Did we find anything? --->
<cfif len(variables.SQLPrev_Found)>

<!--- E-Mail the error for tracking. --->
<cfif request.errorNotify>
<cfmail to="#request.errorEmail#" from="#request.errorEmail#" subject="SQL Injection Attempt" type="HTML">
<p>Date: #now()#</p>
<p>Site: #cgi.server_name#</p>
<p>URL: #cgi.script_name#?#cgi.query_string#</p>
<p>IP: #cgi.remote_addr#</p>
<cfdump var="#url#">
<cfdump var="#variables#">
</cfmail>
</cfif>

<!--- Abort or redirect to home. --->
<cfif request.ErrorAbort>
<cfabort>
<cfelse>
<cflocation url="#request.rootURL#" addtoken="no">
</cfif>

</cfif>

</cfsilent>
This should work well for you unless you use insert, update, drop or alter as field names or values for your url string.

Comments (2)

Print | Send | del.icio.us | Digg It! | Linking Blogs

7522 Views
Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
[Add Comment]
ppshein's Gravatar Thanks, dude.

This thread support our site to prevent SQL Injection by the way of using Store Procedure. Thanks a lot.
# Posted By ppshein | 8/22/08 10:57 PM
Cliff's Gravatar Great stuff! This has just stopped a nasty hackey on my site in his tracks.
# Posted By Cliff | 10/12/08 9:18 AM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.9. Contact Blog Owner