In this challenge a site under construction is provided, only a PNG banner is displayed. After a bit of bruteforcing the directories we found out that in robots.txt there is a interesting link: /address_shops.php?city=Moscow . Going trought it we have the source of the page: /address_shops.php~ . Now its fairly clear that there is a SQL injection and the task is to find a way to extract the secret product. After a bit of browsing the database we found out our table:

http://195.133.87.173/address_shops.php?city=a'' union all select distinct table_name||owner as address from dba_tables– -&debug

table SECRET_PRODUCT owned by PHD_IV_OWNER1. Thats a pitty actually since we are PHD_IV user so we don’t own that table’s right and we can’t get its columns nor data.

How to do this so? Browsing trought the procedures and their codes:

http://195.133.87.173/address_shops.php?city=a'' union all select distinct owner||OBJECT_NAME||procedure_name as address from all_procedures– -&debug

http://195.133.87.173/address_shops.php?city=a'' union all select distinct text as address from dba_source– -&debug

we found out a pakcage named SHOP_PRIVATE_PKG owned by PHD_IV_OWNER2. Using the functions provided in this packages such as: GET_PRODUCT_CATEGORY,GET_PRODUCT_QUANTITY, ecc .. we’ll have access to the SECRET_PRODUCTS. But how to inject custom payload? From the db dump its pointed out that on GET_PRODUCT_QAUNTITY function we have an injection point:

> > select p.quantity > > > > from secret_products p > > > > where 1 = 1 > > > > and p.name = ''' || P_PRODUCT_NAME|| ''''; > >

where P_PRODUCT_NAME is the arg we pass to the function. Selecting the table secret_product from this function , since its owned by an owner with rights , we can dump the table.

Here is the script to extract the flag:

http://pastebin.com/HBngV1SW

Razor4x