Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
BugTraq
Name:
Email:
*Note: Email address will appear as "user domain ext" to prevent harvesting.
Subject:
Message:
 
Re: Lateral SQL Injection Revisited - No Special Privs Required Jul 18 2008 11:30AM
a polyakov dsec ru
Great work David! as usual )

I just can add a little info

Not only sysdate function can be used in procedure without input parametres.

For example using dbms_random.value in procedure without input parameters, we also can inject sql code.

---------------------------

vunerable procedure:

cr...

[ more ]  




 

Privacy Statement
Copyright 2009, SecurityFocus