Category Archives: 7429

Lateral SQL injection in Oracle

David Litchfield has just released a paper, showing that it is possible to do SQL injection using DATE or even NUMBER data types to exploit a PL/SQL procedure in Oracle RDBMS! The attacker can exploit a PL/SQL procedure that doesn’t even take user input!

The trick is to apply an ”ALTER SESSION SET NLS_DATE_FORMAT” command in order to change the NLS variable such that the PL/SQL compiler will accept an arbitrary SQL as a ”DATE” (even though it is not).

=== For more information ===

~ Lateral SQL Injection: A New Class of Vulnerability in Oracle