Showing posts from April, 2019

2019 Stonecutters - Bleeding Gums

In honor of Bleeding Gums Murphy, who passed away 24 years ago today; I thought it would be nice to pay tribute to him by publishing my write-up for the Stonecutter's "Bleeding Gums"challenge.

RIP Bleeding Gums
Bleeding Gums was an empty website aside from a single search field as seen below:

When I searched for the letter "a", I saw the table below:

Search Results
When I searched for the letter "b", I saw a smaller data set returned and some of the artists were different.

Next, I searched for years and album titles but the query only seemed to search for Artists.
Searching for ' gave me the following SQL error:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')'' at line 1

I threw sqlmap at it but I wasn't able to get anything out of it. I then started to play with the injection manually.

With this particular challenge, I notice…