Using Microsoft DPAPI with Coldfusion - coldfusion

I'm in the process of decrypting Chrome's cookie information for a particular website. I can read the data from the file using the SQLLite DB object successfully. The next step is to decrypt the encrypted data.
I've managed to find two Java executables JDPAPI & windpapi4j allowing me to use the Microsoft Data Protection API (MS DPAPI) in Java.
I've loaded both the JAR files in the lib folder and can see their methods as shown below.
I'm trying to pass the encrypted_value of the cookie to the unprotectData and unprotect methods of the Java objects but getting the following error for both of them.
Code:
<cfset a_sqlite = createObject( 'java', 'org.sqlite.JDBC' )>
<cfset WinDPAPI = createObject('java','com.github.windpapi4j.WinDPAPI') />
<cfset jdpapi = createObject('java','net.sourceforge.jdpapi.DataProtector') />
<cfdump var="#WinDPAPI#" label="WinDPAPI">
<cfdump var="#jdpapi#" label="jdpapi">
<!--- <cfdump var="#a_sqlite#"> --->
<cfset a_prop = createObject( 'java', 'java.util.Properties' )>
<cfset db_filename = 'C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\cookies'>
<cfset a_conn = a_sqlite.connect( 'jdbc:sqlite:' & db_filename, a_prop.init() )>
<!--- <cfdump var="#a_conn#"> --->
<cfset a_statement = a_conn.createStatement()>
<cfset a_res = a_statement.executeQuery("select * from cookies where host_key like '%ggas%';")>
<!--- <cfdump var="#a_res#"> --->
<cfloop condition="#a_res.next()#" >
<cfoutput>#a_res.getString("host_key")# = #a_res.getString("name")#</cfoutput><br>
<!--- <cfset encrypted_string = "#a_res.getString("encrypted_value")#"> --->
<cfdump var="#WinDPAPI.unprotectData(a_res.getString("encrypted_value"))#">
<cfdump var="#jdpapi.unprotect(toBinary(toBase64(a_res.getString("encrypted_value"))))#">
<!--- <cffile action="write" file="#expandPath(".")#\output.txt" output="#jdpapi.unprotect(toBinary(toBase64(a_res.getString("encrypted_value"))))#" addnewline="true"> --->
</cfloop>
I believe its something to do with the byte[] input type but not sure how to go about it. Any pointers would be helpful.

Related

Invalid Component Definition

I'm having an issue in the logs I cannot replicate on the browser. I'm getting hundreds of these per day
invalid component definition, can't find component [cfc.udf]
The cfc are stored in a cfc folder one level above the app. This is so that many apps can use the same cfc.
Folder structure:
---- cfc
--------- udf.cfc
---- myApp
--------- application.cfc
In the application.cfc, I'm using application-specific mappings because this is set on a lot of different load-balanced-servers in production as well as a QA environment and local testing environment and keeping them all synced would be difficult.
At onRequestStart, I have a function that restarts the application every 5 minutes. It was supplied by a consultant. I suspect that this is the culprit because the logs show these errors coming in at exactly 5 minute intervals
<cfcomponent>
<cfset This.name = "myApp">
<cfset This.Sessionmanagement=true>
<cfset This.Sessiontimeout="#createtimespan(0,0,30,0)#">
<cfset this.mappings['/cfc'] = ExpandPath('../cfc')>
<cffunction name="onApplicationStart">
<cfset Application.udf = createObject("component", "cfc.udf").init()>
</cffunction>
<cffunction name="onRequestStart">
<cfset appRefreshMinutes = 5>
<cfif Not IsDefined("Application.refreshTime")>
<cfset currentMinute = Minute(Now())>
<cfset Application.refreshTime = DateAdd("n", -(currentMinute MOD appRefreshMinutes)+appRefreshMinutes, Now())>
<cfset Application.refreshTime = DateAdd("s", -(Second(Application.refreshTime)), Application.refreshTime)>
</cfif>
<cfif Now() GTE Application.refreshTime Or IsDefined("URL.reload")>
<cflock name="ApplicationInit" type="exclusive" timeout="5" throwontimeout="false">
<cfif Now() GTE Application.refreshTime Or IsDefined("URL.reload")>
<cfset OnApplicationStart()>
<cfset Application.refreshTime = DateAdd("n", appRefreshMinutes, Application.refreshTime)>
</cfif>
</cflock>
</cfif>
</cffunction>
</cfcomponent>
Promoted from the comments
Have you tried using a mapping name other than /cfc? Like:
<cfset this.mappings['/somethingelse'] = ExpandPath('../cfc')>
so that you can then call it like:
<cfset Application.udf = createObject("component", "somethingelse.udf").init()>
Maybe it just looks odd to me or maybe that is causing your issue (cfc being a reserved word or somehow getting special treatment in this case).

Need to use the smtp settings of coldfusion 10

There is a new settings of Application.cfc in the coldfusion 10 which is:
this.smtpServersettings = as a structure
I can hard code the values here, but i am saving my mail settings in the database and i want to use those values here, is it possible or not to use the database settings here or not.
here is my Update:
<cfcomponent hint="File for the Website" output="false">
<cfsetting showdebugoutput="no">
<cfset this.name = "myProject1">
<cfset this.applicationTimeout = createTimeSpan(2,0,0,0)>
<cfset this.clientmanagement= "yes">
<cfset this.loginstorage = "session">
<cfset this.sessionmanagement = "yes">
<cfset this.sessiontimeout = CreateTimeSpan(0,0,40,0) />
<cfset this.setClientCookies = "yes">
<cfset this.scriptProtect = "all">
<cfset this.setDomainCookies = true>
<cfset this.customTagPaths = ExpandPath('customtags')>
<cfset this.datasource = {name="myDB"}>
<cfset this.smtpServersettings = {structur as username,password and mail settings}>
but that value needs to be through database, can you show me an example please
Yes, you should be able to set the value of the this.smtpServersettings variable from a database query. And for what it's worth, I think that setting as been available since ColdFusion 9.
All you would need to do is something like the following.
Run your query to get the values from the database
Create a new structure
Assign the three variables to that structure; server, username, and password
Assign the this.smtpServersettings variable to your new structure
Of course you will need to add some code to do something if/when your database query fails.
Update after the question was updated
Just do something like the following (pseudo code):
<cfcomponent hint="File for the Website" output="false">
<cfsetting showdebugoutput="no">
<cfset this.name = "myProject1">
<cfset this.applicationTimeout = createTimeSpan(2,0,0,0)>
<cfset this.clientmanagement= "yes">
<cfset this.loginstorage = "session">
<cfset this.sessionmanagement = "yes">
<cfset this.sessiontimeout = CreateTimeSpan(0,0,40,0) />
<cfset this.setClientCookies = "yes">
<cfset this.scriptProtect = "all">
<cfset this.setDomainCookies = true>
<cfset this.customTagPaths = ExpandPath('customtags')>
<cfset this.datasource = {name="myDB"}>
<!--- run your query here --->
<!--- check your query and do something appropriate if/when it fails --->
<cfset this.MyStructure = StructNew()>
<cfset this.MyStructure.server = this.MyQuery.ServerNameVariable>
<cfset this.MyStructure.username = this.MyQuery.UserNameVariable>
<cfset this.MyStructure.password = this.MyQuery.PasswordVariable>
<cfset this.smtpServersettings = this.MyStructure>
You also need to be aware that doing it this way will run that query on every page request. Make sure it runs fast.

Getting data from the function using an Object in CF

I have a CFC object and a function which gets me the data which I want. Now I want to use that data and provide it to an already defined custom tag attribute. When I dump the #iEngine.listScore()# I get some parameters. But my problem is how should I provide those to an attribute?
<cfdump var="#iEngine.listScores()#" label="Swapnil Test - Function ListScore">
<cfset filename="ACE_DataExtract_#DateFormat(now(),'dd.mmm.yyyy')#.xls" />
<!--- Calling Custom tags to create/output xls files --->
<cfmodule template="#request.library.customtags.virtualpath#excel.cfm" file="#filename#" sheetname="ACE Report">
<cfmodule template="#request.library.customtags.virtualpath#exceldata.cfm"
query="#iEngine.listScores()#"
action="AddWorksheet"
sheetname="ACE Report"
colorscheme="blue"
useheaders="true"
contentformat="#{bold=true}#"
customheaders="#ListScore#">
<cfoutput>Excel Extract - ACE Report - #DateFormat(Now(),"d-mmm-yyyy")#</cfoutput>
</cfmodule>
</cfmodule>
Here I want to provide the data of iEngine.listScore() to the "Query" attribute in "exceldata" custom tag.
Below is the dump of iEngine.listScore()
I would write a transform Data function to change your array-struct to a query object, then pass that on....
<cffunction name="transformData" result="query">
<cfargument name="inArray" type="array">
<cfset local.qryReturn = queryNew("actiondate,actionId,closedate")>
<!--- You may look up queryNew and also set your dataTypes --->
<cfloop array="#arguments.inArray#" index="i">
<cfset QueryAddRow(local.qryReturn)>
<cfset querySetCell(local.qryReturn,"actionDate",i["actiondate"])>
<cfset querySetCell(local.qryReturn,"actionid",i["actionid"])>
<cfset querySetCell(local.qryReturn,"closedate",i["closedate"])>
</cfloop>
<cfreturn local.qryReturn>
</cffunction>
<cfset test = [
{actiondate='1/1/2015',actionid=134,closedate=''},
{actiondate='1/2/2015',actionid=135,closedate=''},
{actiondate='1/3/2015',actionid=136,closedate=''}
]>
<cfdump var="#test#">
<cfset resultQry = transformData(test)>
<cfif NOT isquery(resultQry)>
Exit invalid Data.
<cfelse>
<cfdump var="#resultQry#">
</cfif>

Extract 7z file in coldfusion

Can anyone help me by suggesting a function to extract a .7z file in ColdFusion? I use ColdFusion 10 and cfscript based code. Indeed we have the cfzip tag, but it only extracts .zip and .jar files.
You can use cfexecute, which unfortunately is not availble in cfscript, to execute the 7z extractor on your server and pass through the various commands to extract the file to a place of your choosing.
Luckily for you, it seems Raymond Camden has gone into it in some detail:
http://www.raymondcamden.com/index.cfm/2011/2/21/Working-with-RARs-in-ColdFusion
Function to unrar .rar file in given destination.. use cfexecute tag to run rar exe in command line
<cffunction name="Unrar" access="public" returnType="boolean" output="false">
<cfargument name="archivefile" type="string" required="true">
<cfargument name="destination" type="string" required="true">
<cfset var exeName = "">
<cfset var result = "">
<cfset var errorresult = "">
<cfif not fileExists(arguments.archivefile)>
<cfthrow message="Unable to work with #arguments.arvhiefile#, it does not exist.">
</cfif>
<cfif findnocase(".rar",arguments.archivefile)>
<cfset var exeName = expandpath("WinRAR\rar.exe")>
<cfset var args = []>
<cfif directoryExists(#arguments.destination#)>
<cfset args[1] = "x +o">
<cfelse>
<cfset directoryCreate(#arguments.destination#)>
<cfset args[1] = "x">
</cfif>
<cfset args[2] = arguments.archivefile>
<cfset args[3] = "#arguments.destination#">
</cfif>
<cfexecute name="#exeName#" arguments="#args#" variable="result" errorvariable="errorresult" timeout="99" />
<cfif findNoCase("OK All OK", result)>
<cfreturn true>
<cfelse>
<cfreturn false>
</cfif>
</cffunction>

Consuming a webservice code simplification

UPDATED CODE TO LATEST ITERATION
The following function consumes a webservice that returns address details based on zip code (CEP). I'm using this function to parse the xml and populate an empty query with the address details. I would like to know if there is a more elegant way to achieve the same result. It seems to be a waste to create an empty query and populate it...
Any ideas could my method be modified or the code factored/simplified?
<!--- ****** ACTION: getAddress (consumes web-service to retrieve address details) --->
<cffunction name="getAddress" access="remote" returntype="any" output="false">
<!--- Defaults: strcep (cep (Brazilian zip-code) string webservice would look for), search result returned from webservice --->
<cfargument name="cep" type="string" default="00000000">
<cfset var searchResult = "">
<cfset var nodes = "">
<cfset var cfhttp = "">
<cfset var stateid = 0>
<cfset var tmp = structNew()>
<!--- Validate cep string --->
<cfif IsNumeric(arguments.cep) AND Len(arguments.cep) EQ 8>
<cftry>
<!--- Consume webservice --->
<cfhttp method="get" url="http://www.bronzebusiness.com.br/webservices/wscep.asmx/cep?strcep=#arguments.cep#"></cfhttp>
<cfset searchResult = xmlparse(cfhttp.FileContent)>
<cfset nodes = xmlSearch(searchResult, "//tbCEP")>
<!--- If result insert address data into session struct --->
<cfif arrayLen(nodes)>
<cfset tmp.streetType = nodes[1].logradouro.XmlText>
<cfset tmp.streetName = nodes[1].nome.XmlText>
<cfset tmp.area = nodes[1].bairro.XmlText>
<cfset tmp.city = nodes[1].cidade.XmlText>
<cfset tmp.state = nodes[1].uf.XmlText>
<cfset tmp.cep = arguments.cep>
<!--- Get state id and add to struct --->
<cfset stateid = model("state").findOneByStateInitials(tmp.state)>
<cfset tmp.stateid = stateid.id>
<cfreturn tmp>
</cfif>
<!--- Display error if any --->
<cfcatch type="any">
<cfoutput>
<h3>Sorry, but there was an error.</h3>
<p>#cfcatch.message#</p>
</cfoutput>
</cfcatch>
</cftry>
</cfif>
</cffunction>
<!--- ****** END ACTION getAddress --->
The calling code:
<!--- Get address data based on CEP --->
<cfset session.addressData = getAddress(cep=params.newMember.cep)>
I can't test this because I don't have an example XML file / CEP to test with, but here is a minor rewrite that addresses four things:
Instead of using cfparam and some strange "params" structure, you should pass the CEP into the function as an argument.
The function shouldn't directly modify session data. Instead, you should return the result and let the calling code assign it to the session (or wherever else it might be needed). I'll show this in a 2nd code example.
Cache the xml result per CEP -- assuming this doesn't change often. (You'll have to improve it further if you want time-based manual cache invalidation, but I can help add that if necessary)
Don't use StructInsert. It's not necessary and you're just writing it the long way for the sake of writing it the long way. There is no benefit.
Again, this isn't tested, but hopefully it's helpful:
<cffunction name="getAddress" access="remote" returntype="any" output="false">
<cfargument name="cep" type="string" default="00000000" /><!--- (cep (Brazilian zip-code) string webservice would look for) --->
<cfset var searchResult = "">
<cfset var nodes = "">
<cfset var cfhttp = "">
<cfset var stateid = 0 />
<cfset var tmp = structNew()>
<!--- Validate cep string --->
<cfif IsNumeric(arguments.cep) AND Len(arguments.cep) EQ 8>
<cfif not structKeyExists(application.cepCache, arguments.cep)><!--- or cache is expired: you'd have to figure this part out --->
<!--- Consume webservice --->
<cftry>
<cfhttp method="get" url="http://www.bronzebusiness.com.br/webservices/wscep.asmx/cep?strcep=#arguments.cep#" />
<cfset searchResult = xmlparse(cfhttp.FileContent)>
<cfset nodes = xmlSearch(searchResult, "//tbCEP")>
<!--- If result insert address data into session struct --->
<cfif arrayLen(nodes)>
<cfset tmp.streetType = nodes[1].logradouro.XmlText />
<cfset tmp.streetName = nodes[1].nome.XmlText />
<cfset tmp.area = nodes[1].bairro.XmlText />
<cfset tmp.city = nodes[1].cidade.XmlText />
<cfset tmp.state = nodes[1].uf.XmlText />
<cfset tmp.cep = arguments.cep />
<!--- Get state id and add to struct --->
<cfset stateid = model("state").findOneByStateInitials(session.addressData.state)>
<cfset tmp.stateid = stateid.id />
</cfif>
<cfreturn duplicate(tmp) />
<!--- Display error if any --->
<cfcatch type="any">
<h3>Sorry, but there was an error.</h3>
<p>#cfcatch.message#</p>
</cfcatch>
</cftry>
<cfelse>
<!--- cache exists and is not expired, so use it --->
<cfreturn duplicate(application.cepCache[arguments.cep]) />
</cfif>
</cfif>
<!---
<!--- Redirect to page two of the sign up process --->
<cfset redirectTo(controller="assine", action="perfil")>
--->
</cffunction>
Notice that I commented out the redirect you had at the end. That's because with my function, you'll be returning a value, and the redirect should be done after that, like so:
<cfset session.addressData = getAddress("some-CEP-value") />
<cfset redirectTo(controller="assine", action="perfil")>
If you're going to leave out the caching (As you say in a comment you will), then here is a version that makes no attempt at caching:
<cffunction name="getAddress" access="remote" returntype="any" output="false">
<cfargument name="cep" type="string" default="00000000" /><!--- (cep (Brazilian zip-code) string webservice would look for) --->
<cfset var searchResult = "">
<cfset var nodes = "">
<cfset var cfhttp = "">
<cfset var stateid = 0 />
<cfset var tmp = structNew()>
<!--- Validate cep string --->
<cfif IsNumeric(arguments.cep) AND Len(arguments.cep) EQ 8>
<!--- Consume webservice --->
<cftry>
<cfhttp method="get" url="http://www.bronzebusiness.com.br/webservices/wscep.asmx/cep?strcep=#arguments.cep#" />
<cfset searchResult = xmlparse(cfhttp.FileContent)>
<cfset nodes = xmlSearch(searchResult, "//tbCEP")>
<!--- If result insert address data into session struct --->
<cfif arrayLen(nodes)>
<cfset tmp.streetType = nodes[1].logradouro.XmlText />
<cfset tmp.streetName = nodes[1].nome.XmlText />
<cfset tmp.area = nodes[1].bairro.XmlText />
<cfset tmp.city = nodes[1].cidade.XmlText />
<cfset tmp.state = nodes[1].uf.XmlText />
<cfset tmp.cep = arguments.cep />
<!--- Get state id and add to struct --->
<cfset stateid = model("state").findOneByStateInitials(session.addressData.state)>
<cfset tmp.stateid = stateid.id />
</cfif>
<cfreturn duplicate(tmp) />
<!--- Display error if any --->
<cfcatch type="any">
<h3>Sorry, but there was an error.</h3>
<p>#cfcatch.message#</p>
</cfcatch>
</cftry>
</cfif>
<!---
<!--- Redirect to page two of the sign up process --->
<cfset redirectTo(controller="assine", action="perfil")>
--->
</cffunction>
Note that I did leave in the use of duplicate(). What this does is return a duplicate of the object (in this case, the struct). This is much more important when you start to work on applications where you're passing complex values into and out of functions over and over again. Using duplicate() causes things to be passed by value instead of by reference. It may not bite you in this case, but it's a good habit to get into.
I would also still use the function argument and return a value -- but it's arguable that this is my personal preference. In a way it is. I believe that a function should be fully encapsulated; a total "black box". You give it some input and it gives you back some output. It should not modify anything outside of itself. (Again, just my opinion.)
So assuming you're using this function as part of a larger multi-step process, you should still use it the same way I've described above. The only difference is that you're setting the session variable outside of the function body. Just as previously:
<cfset session.addressData = getAddress("some-CEP-value") />
<cfset redirectTo(controller="assine", action="perfil")>
That looks pretty straightforward. CF doesn't (yet?) have any magical XML-to-Query functions, but that would be pretty cool. If you wanted, you could probably write up an XSL transform to go from XML to WDDX so that you could use the cfwddx tag ... but that's probably putting the cart before the horse.
You need to move your arrayLen() if block into the try block. As it stands, if the cfhttp tag throws an error, the nodes variable will be a string and not an array, thus causing the arrayLen() to throw another error.
Minor nitpick: I wouldn't add a row to the query until inside the arrayLen() block. That way, the calling code can check recordCount to see if the result was a success.
Beyond that ... that's pretty much how it's done.