Knife
A backdoored PHP 8.1.0-dev development build exposed via the X-Powered-By header accepted arbitrary OS commands through the User-Agentt header, giving a shell as james without credentials.
A backdoored PHP 8.1.0-dev development build exposed via the X-Powered-By header accepted arbitrary OS commands through the User-Agentt header, giving a shell as james without credentials.
A download endpoint reads arbitrary files, leaking the hMailServer admin MD5 hash; those mail credentials send a CVE-2024-21413 MonikerLink email that coerces a user's NetNTLMv2 hash, which cracks to a password for a WinRM shell and the user flag.
DNS zone transfer exposes a hidden admin subdomain whose login is bypassed with SQL injection; an authenticated command injection field then grants a shell as www-data.
A dev subdomain leaks its .git directory, whose history hides a hardcoded Ghost admin password; the Ghost 5.58 importer (CVE-2023-40028) reads arbitrary files via a symlink in an imported ZIP, leaking SSH credentials from the Ghost config for the user flag.
A Jenkins CI server on port 50000 had authentication disabled, allowing unauthenticated access to the Groovy Script Console and remote code execution as jeeves\kohsuke.
The fifth blind SQLi oracle — when the app leaks nothing in-band (no message, no delay, no error), make the database server itself phone home. An Oracle XMLType external-entity trick fires a DNS lookup to a host you control. Plus the cookie-encoding gotcha that decides whether the payload parses at all.
A Request Tracker ticketing system left on its documented default root/password login exposes an admin panel where a user's SSH password sits in clear text inside a comment field, granting a direct SSH foothold and the user flag.
A map of the blind SQL injection labs in this series. When the query result never reaches the page, you fall back to an oracle — a side channel that leaks one bit at a time, or sends the answer out-of-band entirely. This post lays out the five oracle flavours, how to pick the right one by what the app leaks, and links each to its walkthrough.
A PHP application passes user-supplied filenames directly to include() with no validation, enabling LFI that leaks a 13x base64-encoded password — decoding it yields SSH credentials for charix, who holds a VNC password file granting a root graphical desktop session.
The app leaks nothing — no message, no error, no status change — so we turn response time into a 1-bit oracle, wrap each guess in a CASE that only sleeps when it is correct, and binary-search the administrator password out of the database one character at a time.
An unauthenticated GraphQL endpoint leaks a HelpDeskZ user's MD5 password, and the HelpDeskZ 1.0.2 ticket viewer's blind SQL injection lets you brute-force a staff SHA1 hash one character at a time — the recovered credential logs straight into SSH for the user flag.
A PortSwigger Web Security Academy lab where the app gives back nothing — no message, no data, no status change — so the only oracle left is how long the response takes. A single pg_sleep makes the database stall on command and proves the injection.
An HTTPS service running OpenSSL 1.0.1 is vulnerable to Heartbleed (CVE-2014-0160), which leaks the passphrase for an encrypted RSA private key found in a world-accessible /dev/ directory, granting SSH access as hype.
A PortSwigger Web Security Academy lab where the query result is never shown — but the app leaks raw database errors, so a single CAST-to-int type error hands you the admin password in one request, no blind guessing required.
A guest-accessible IIS support portal leaks a partial Cisco router config; the reversible type-7 passwords decode instantly and the type-5 MD5crypt cracks with John, then credential reuse plus SMB RID-bruteforcing and password spraying yields a WinRM shell and the user flag.
A PortSwigger Web Security Academy lab with no conditional message and no data echoed back — but an unhandled SQL error toggles HTTP 500 vs 200, and a division-by-zero inside a CASE turns that into a one-bit oracle that leaks the admin password.
Gym Management Software 1.0 on port 8080 accepted unauthenticated PHP file uploads disguised as images, giving remote code execution as buff\shaun and the user flag.
A PortSwigger Web Security Academy lab where the query result never reaches the page — but a 'Welcome back' message that appears only when a row matches is enough to extract the admin password one character at a time.
An assume-breach Windows AD box where a writable SMB share lets you plant a malicious .library-ms ZIP (CVE-2025-24071) to coerce a user's NetNTLMv2 hash; cracking it and abusing a GenericAll/GenericWrite ACL chain via shadow credentials yields a service account with WinRM access and the user flag.
A product category filter is injectable, but the UNION query has only one string-typed column. Concatenating username and password into that single column dumps every credential and solves the lab.