Shadow Registrar
RegistryPro's WHOIS terminal returns three things: a status word, a reflected domain name, and a lookup time. The query layer accepts stacked statements. Everything you need leaks through the clock.
The Scenario
RegistryPro is a domain registrar that has been quietly serving small hosting resellers out of Dublin since 2008, with a public lookup page that has barely changed since the original CTO wrote it. A junior on the UX team redesigned the terminal last spring, surfaced a few extra diagnostics in the response, and shipped the change without anyone on the backend side reviewing what those diagnostics actually exposed. The original CTO retired in 2021 and nobody else really knows the driver layer.
Challenge Intel
Synopsis
A hard SQL injection lab where the only reliable signal is how long a query takes to return.
What It Is
RegistryPro's public domain-lookup terminal runs on a legacy driver that still permits multiple statements per query. The interface surfaces lookup latency as a UX nicety, but that latency is more than cosmetic — it's a clean side channel once you know how to drive it. A thorough workout in time-based blind SQL injection against a realistic stack.
Who It's For
Intermediate-to-advanced testers sharpening their time-based blind SQLi craft.
Skills You'll Practice
- Time-based blind SQL injection
- Stacked-query reasoning on legacy drivers
- Side-channel extraction using latency
- Building reliable timing oracles
- Schema recovery under minimal feedback
What You'll Gain
- Real experience turning a timing gauge into a data channel
- Patterns for stable timing oracles under network noise
- Respect for the risk profile of multi-statement drivers
- A cleaner mental model of blind SQLi variants
Ready to hack Shadow Registrar?
This challenge is free. Sign up and start hacking.