Do not worry too much if you execute SQL statements directly or parameter bindings.
such as the following Oracle stored procedures
Create or Replace procedure Kjdatepoc (date D)
As
Begin
INSERT into kjdatetable values (d);
Commit
End
There is no need to worry about being subjected to a new SQL injection attack, so where does the date and number injection attack occur?? Generally, dynamic SQL is used without parameter binding statements.
such as Dbms_sql or execute IMMEDIATE that engineers often use
If you encounter the above stored procedures or functions, and also by modifying the values in the session Nls_date_format to achieve the purpose of SQL injection,
The foreigner's paper explained very detailed, I here also does not have the nonsense.
Only the injection of number type is not more than a simple demonstration can be output single quotes!
SELECT * from DUAL WHERE id= ' 10001 and name= ' | | Kj.exp () – '
So you can attack it indirectly ...
In a certain degree only when the alter session needs to be matched, then attack some functions or processes within the system to elevate permissions. is not a good breakthrough idea, but for a single statement of SQL injection attacks, with the result as a guide! That's not much of a way.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.