In this challenge a site under construction is provided, only a PNG banner is displayed. After a bit of bruteforcing the directories we found out that in robots.txt there is a interesting link: /address_shops.php?city=Moscow . Going trought it we have the source of the page: /address_shops.php~ . Now its fairly clear that there is a SQL injection and the task is to find a way to extract the secret product. After a bit of browsing the database we found out our table:
http://220.127.116.11/address_shops.php?city=a'' union all select distinct table_name||owner as address from dba_tables-- -&debug
table SECRET_PRODUCT owned by PHD_IV_OWNER1. Thats a pitty actually since we are PHD_IV user so we don't own that table's right and we can't get its columns nor data.
How to do this so? Browsing trought the procedures and their codes:
http://18.104.22.168/address_shops.php?city=a'' union all select distinct owner||OBJECT_NAME||procedure_name as address from all_procedures-- -&debug
http://22.214.171.124/address_shops.php?city=a'' union all select distinct text as address from dba_source-- -&debug
we found out a pakcage named SHOP_PRIVATE_PKG owned by PHD_IV_OWNER2. Using the functions provided in this packages such as: GET_PRODUCT_CATEGORY,GET_PRODUCT_QUANTITY, ecc .. we'll have access to the SECRET_PRODUCTS. But how to inject custom payload? From the db dump its pointed out that on GET_PRODUCT_QAUNTITY function we have an injection point:
select p.quantityfrom secret_products pwhere 1 = 1and p.name = ''' || P_PRODUCT_NAME|| '''';