Lateral SQL Injection in Oracle Database
In order to get the system date in Oracle, you able to query for
sysdate field in table dual.
SQL> select sysdate from dual;
SYSDATE format is set in: nls_date_format.
Following the publication: Lateral SQL Injection: A New Class of Vulnerability in Oracle, (http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf) published by David Litchfield, FEB/2008.
This post provides an overview and a demonstration on how this issue is still easily exploitable …[Read more...]