Lateral SQL Injection in Oracle Database
In order to get the system date in Oracle, you able to query for
sysdate field in table dual.
SQL> select sysdate from dual;
SYSDATE format is set in: nls_date_format.
Following the publication: Lateral SQL Injection: A New Class of Vulnerability in Oracle, (http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf) published by David Litchfield, FEB/2008.
This post provides an overview and a demonstration on how this issue is still easily exploitable in Oracle Database.
Nls_date_format allows input of any string without
Example: alter session set nls_date_format = ‘”the time is:”… hh24:mi’
After running that command, the SYSDATE will …[Read more]