PHD CTF Quals 2014 - oracle Writeup
In this challenge a site under construction is provided, only a PNG banner is displayed. After a bit of bruteforcing the directories we found out that in robots.txt there is a interesting link: /address_shops.php?city=Moscow . Going trought it we have the source of the page: /address_shops.php~ . Now its fairly clear that there is a SQL injection and the task is to find a way to extract the secret product. After a bit of browsing the database we found out our table:
http://18.104.22.168/address_shops.php?city=a'' union all select distinct table_name||owner as address from dba_tables– -&debug
table SECRET_PRODUCT owned by PHD_IV_OWNER1. Thats a pitty actually since we are PHD_IV user so we don’t own that table’s right and we can’t get its columns nor data.
How to do this so? Browsing trought the procedures and their codes:
http://22.214.171.124/address_shops.php?city=a'' union all select distinct owner||OBJECT_NAME||procedure_name as address from all_procedures– -&debug
http://126.96.36.199/address_shops.php?city=a'' union all select distinct text as address from dba_source– -&debug
we found out a pakcage named SHOP_PRIVATE_PKG owned by PHD_IV_OWNER2. Using the functions provided in this packages such as: GET_PRODUCT_CATEGORY,GET_PRODUCT_QUANTITY, ecc .. we’ll have access to the SECRET_PRODUCTS. But how to inject custom payload? From the db dump its pointed out that on GET_PRODUCT_QAUNTITY function we have an injection point:
> > select p.quantity > > > > from secret_products p > > > > where 1 = 1 > > > > and p.name = ''' || P_PRODUCT_NAME|| ''''; > >
where P_PRODUCT_NAME is the arg we pass to the function. Selecting the table secret_product from this function , since its owned by an owner with rights , we can dump the table.
Here is the script to extract the flag: