Lateral SQL Injection in Oracle Database
Overview
=======
In order to get the system date in Oracle, you able to query for
sysdate field in table dual.
SQL> select sysdate from dual;
SYSDATE
————–
15-SEP-11
SYSDATE format is set in: nls_date_format.
Following the publication: Lateral SQL Injection: A New Class of Vulnerability in Oracle, (http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf) published by David Litchfield, FEB/2008.
This post provides an overview and a demonstration on how this issue is still easily exploitable in Oracle Database.
Vulnerability
=========
Nls_date_format allows input of any string without
filtering.
Example: alter session set nls_date_format = ‘”the time
is:”… hh24:mi’
After running that command, the SYSDATE will …
[Read more]