Lateral SQL injection in Oracle

David Litchfield has just released a paper, showing that it is possible to do SQL injection using DATE or even NUMBER data types to exploit a PL/SQL procedure in Oracle RDBMS! The attacker can exploit a PL/SQL procedure that doesn’t even take user input!


The trick is to apply an ”ALTER SESSION SET NLS_DATE_FORMAT” command in order to change the NLS variable such that the PL/SQL compiler will accept an arbitrary SQL as a ”DATE” (even though it is not).


=== For more information ===


~ Lateral SQL Injection: A New Class of Vulnerability in Oracle


http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf