Bom agora a pouco na lista de CF vi um post da galera falando a respeito de detecção de SQL Injection e resolvi compartilhar um código que fiz a algum tempo e venho usando com sucesso nas aplicações.
Coloque o código abaixo no seu Application.cfm ou Application.cfc e antes de qualquer operação de SQL basta fazer um <cfif Not hasAttack()><cfquery…
1: <cffunction name="checkSQLInject" access="private" returntype="string" output="no">2: <cfscript>3: // list of db objects/functions to protect4: var insSql = 'insert|delete|select|update|create|alter|drop|truncate|grant|revoke|declare|' &5: 'exec|backup|restore|sp_|xp_|set|execute|dbcc|deny|union|Cast|Char|Varchar|nChar|nVarchar';6:7: // Build the regex8: var regEx='((or)+[[:space:]]*\(*''?[[:print:]]+''?' &9: '([[:space:]]*[\+\-\/\*][[:space:]]*''?' &10: '[[:print:]]+''?)*\)*[[:space:]]*' &11: '(([=><!]{1,2}|(like))[[:space:]]*\(*''?' &12: '[[:print:]]+''?([[:space:]]*[\+\-\/\*]' &13: '[[:space:]]*''?[[:print:]]+''?)*\)*)|((in)' &14: '[[:space:]]*\(+[[:space:]]*''?[[:print:]]+''?' &15: '(\,[[:space:]]*''?[[:print:]]+''?)*\)+)|' &16: '((between)[[:space:]]*\(*[[:space:]]*''?' &17: '[[:print:]]+''?(\,[[:space:]]*''?[[:print:]]+''?)' &18: '*\)*(and)[[:space:]]+\(*[[:space:]]*''?[[:print:]]+''?' &19: '(\,[[:space:]]*''?[[:print:]]+''?)*\)*)|((;)([^a-z>]*)' &20: '(#insSql#)([^a-z]+|$))|(union[^a-z]+(all|select))|(\/\*)|(--$))';21:22: return regEx;23: </cfscript>24: </cffunction>25:26: <cffunction name="loadPattern" access="private" returntype="any" output="no">27: <cfscript>28: var reMatcher = "";29: var blacklist = checkSQLInject();30: var rePattern = createObject("java", "java.util.regex.Pattern");31: rePattern = rePattern.compile(blackList);32: return rePattern;33: </cfscript>34: </cffunction>35:36: <cffunction name="hasAttack" access="public" returntype="boolean" output="no">37: <cfscript>38: var hackattempt = false;39: var testvar = "";40: var reMatcher = "";41: var CGIvars = "script_name,remote_addr,query_string,path_info,http_referer,http_user_agent,server_name";42: var scoopes = [Url, Form, Cookie, Arguments];43: var i = 1;44:45: //Make sure the Matcher is available in Application Scope46: if(NOT StructKeyExists(Private, "regExChecker")) {47: Private.regExChecker = loadPattern();48: }49:50: //load matcher51: reMatcher = Private.regExChecker.matcher("");52: for(i = 1; i LE ArrayLen(scoopes); i++) {53: for(testvar in scoopes[i]) {54: if(reMatcher.reset(lcase(scoopes[i][testvar])).find()) {55: hackAttempt = true;56: break;57: }58: }59: if(hackAttempt) break;60: }61:62: if(NOT hackAttempt) {63: for(i = 1; i LE ListLen(CGIvars); i=i+1) {64: testvar = ListGetAt(CGIvars, i);65: if(StructKeyExists(CGI, testvar) AND reMatcher.reset(lcase(CGI[testvar])).find()) {66: hackAttempt = true;67: break;68: }69: }70: }71: return hackAttempt;72: </cfscript>73: </cffunction>74:
Boa tarde, tentei utilizar este script e apresentou o seguinte erro:
ResponderExcluirInvalid CFML construct found on line 47 at column 19.
ColdFusion was looking at the following text:
[
The CFML compiler was processing:
a script statement beginning with "var" on line 47, column 5.
a cfscript tag beginning on line 42, column 5.
a cfscript tag beginning on line 42, column 5.
The error occurred in C:\xxx\xxxx\Application.cfm: line 47
45 : var reMatcher = "";
46 : var CGIvars = "script_name,remote_addr,query_string,path_info,http_referer,http_user_agent,server_name";
47 : var scoopes = [Url, Form, Cookie, Arguments];
48 : var i = 1;
49 :
você poderia me dar um help?