Trace Control
Trackboard, an internal issue tracker, rolled to production with display_errors accidentally left on. Its /issues page has a numeric id param and a loose sense of type safety. Coax a database error to tell you what you need.
The Scenario
Trackboard is the bug tracker your ops team lives in. A late-night deploy kicked `display_errors=1` into production because the release candidate never had its php.ini re-checked. You've got a few hours before the next deploy — make them count.
Challenge Intel
Synopsis
A medium SQL injection lab against an internal tracker with verbose errors left switched on in production.
What It Is
Trackboard is an internal issue tracker that quietly shipped with developer-mode error output enabled. Combined with a numeric-looking parameter that doesn't actually enforce types, the page becomes a friendly environment for error-based SQL injection. Expect a realistic mix of stack leakage and classical union-style thinking.
Who It's For
Mid-level testers who want to practise error-based SQLi with fast, legible feedback.
Skills You'll Practice
- Error-based SQL injection
- Exploiting weak parameter type handling
- Reading stack traces for schema clues
- Union-style data recovery
- Diagnosing misconfigured production runtimes
What You'll Gain
- Speed and comfort with error-driven SQLi workflows
- An eye for deployment misconfigurations that leak internals
- Familiarity with how verbose errors short-circuit discovery
- A rounded complement to blind-SQLi practice