Shadow Registrar
RegistryPro's WHOIS terminal returns three things: a status word, a reflected domain name, and a lookup time. The query layer accepts stacked statements. Everything you need leaks through the clock.
The Scenario
RegistryPro shipped their public WHOIS lookup years ago on a legacy mysqli driver that still enables multi-statement execution. The UX team "modernised" the page by surfacing lookup latency — unaware that the timing channel is more than cosmetic. Make the registrar count.
Challenge Intel
Synopsis
A hard SQL injection lab where the only reliable signal is how long a query takes to return.
What It Is
RegistryPro's public domain-lookup terminal runs on a legacy driver that still permits multiple statements per query. The interface surfaces lookup latency as a UX nicety, but that latency is more than cosmetic — it's a clean side channel once you know how to drive it. A thorough workout in time-based blind SQL injection against a realistic stack.
Who It's For
Intermediate-to-advanced testers sharpening their time-based blind SQLi craft.
Skills You'll Practice
- Time-based blind SQL injection
- Stacked-query reasoning on legacy drivers
- Side-channel extraction using latency
- Building reliable timing oracles
- Schema recovery under minimal feedback
What You'll Gain
- Real experience turning a timing gauge into a data channel
- Patterns for stable timing oracles under network noise
- Respect for the risk profile of multi-statement drivers
- A cleaner mental model of blind SQLi variants
Ready to hack Shadow Registrar?
This challenge is free. Sign up and start hacking.