A disturbing lack of taste. Just another WordPress site

27Jan/140

PHD CTF Quals 2014 – oracle Writeup

In this challenge a site under construction is provided, only a PNG banner is displayed. After a bit of bruteforcing the directories we found out that in robots.txt there is a interesting link: /address_shops.php?city=Moscow . Going trought it we have the source of the page: /address_shops.php~ . Now its fairly clear that there is a SQL injection and the task is to find a way to extract the secret product. After a bit of browsing the database we found out our table:

http://195.133.87.173/address_shops.php?city=a'' union all select distinct table_name||owner as address from dba_tables-- -&debug

table SECRET_PRODUCT owned by PHD_IV_OWNER1. Thats a pitty actually since we are PHD_IV user so we don't own that table's right and we can't get its columns nor data.

How to do this so? Browsing trought the procedures and their codes:

http://195.133.87.173/address_shops.php?city=a'' union all select distinct owner||OBJECT_NAME||procedure_name as address from all_procedures-- -&debug

http://195.133.87.173/address_shops.php?city=a'' union all select distinct text as address from dba_source-- -&debug

we found out a pakcage named SHOP_PRIVATE_PKG owned by PHD_IV_OWNER2. Using the functions provided in this packages such as: GET_PRODUCT_CATEGORY,GET_PRODUCT_QUANTITY, ecc .. we'll have access to the SECRET_PRODUCTS. But how to inject custom payload? From the db dump its pointed out that on GET_PRODUCT_QAUNTITY function we have an injection point:

select p.quantity
from secret_products p
where 1 = 1
and p.name = ''' || P_PRODUCT_NAME|| '''';
where P_PRODUCT_NAME is the arg we pass to the function. Selecting the table secret_product from this function , since its owned by an owner with rights , we can dump the table.
Here is the script to extract the flag:
http://pastebin.com/HBngV1SW
Razor4x

 

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.