Lateral SQL Injection: A New Class of Vulnerability in Oracle (2008)
by David Litchfield.
How can an attacker exploit a PL/SQL procedure that doesn’t even take user input? Or how does one do SQL injection using DATE or even NUMBER data types? In the past this has not been possible but as this paper will demonstrate, with a little bit of trickery, you can in the Oracle RDBMS. Consider the following code for a PL/SQL procedure ... It takes no parameters and so typically would not be audited. That said, we can see that the V_DATE variable is embedded within an SQL query which is then dynamically executed via the EXECUTE IMMEDIATE statement. Tracing back through the code we see that value for V_DATE is assigned from a call to the SYSDATE() built in function. If this were somehow influenceable then an attacker could potentially inject arbitrary SQL. As we will see this is fully exploitable but first let's consider this code: [via]
http://www.databasesecurity.com/dbsec/lateral...
sql injection
Related Files
- An Introduction to SQL Injection Attacks for Oracle Developers
- SQL Injection Vulnerability in Oracle9i Application Server
- Manipulating Microsoft SQL Server Using SQL Injection
- Buffer Overflow Vulnerability in Oracle E-Business Suite
- Oracle Internet Directory Buffer Overflow Vulnerability
- Oracle VM FAQ
Sponsored Links
Free Download Sonos Manual, Guide, Instructions, available in PDF ebooks format.
Rate this Document
Popular eBooks
- Java Platform Migration Guide Version 1.3 to 5.0
- Java Web Start Overview White Paper
- Java 2 Platform, Standard Edition 5.0: Troubleshooting and Diagnostic Guide
- MySQL 5.0 Stored Procedures
- Numerical Python
- An Introduction to Python - Release 2.2.2
- Python/C API Reference Manual - Release 2.5
- Trusted Platform Module (TPM) based Security on Notebook PCs - White Paper
- A Z Patterns Catalogue II: Definitions and Laws, v0.1
- Tutorial on Python Iterators and Generators
ADS
Tag Clouds
3d algorithm analysis application architecture design ebook energy framework guide java javascript kernel linux manual network paper programming python reference security software system theory thesis tutorial typography web service white paper xml
Last Download
- The R-Tcl/Tk interface
- HTML, XML and JavaScript
- Diving into JavaScript - Chapter 1
- PLS - Graph User's Guide Version 3.0
- The Elements of Typographic Style
BookShelf
- Red Hat Linux 9: Red Hat Linux Reference Guide
- iPhone Important Product Information Guide (with safety information)-US
- High-Performance Java Platform Computing - Chapter 3
- SPARK: Top-Keyword Query in Relational Databases
- A Method for Fast Computation of the Fourier Transform over a Finite Field
