Recent Posts



SqliLab CTF, Wrap Up!

April 21, 2014

As you would have noticed from the noise on twitter and other channels, the 2nd public CTF was a major success. Over 3000 registrations, ~7K unique IPs, 7 GB of log (in 3 days) and heaps of fun. As with anything, we had some un-wanted visitors, who tried to take… Read More

Oracle Hacks Added to SQLi Lab

November 6, 2013

We have just added some more awesome challenges in Sqli Lab and thought it would be good idea to share some insight about it. Note: David Litchfield’s book Oracle Hacker’s Handbook is the best resource to learn about these attacks. You can now practice a series of Oracle database hacks… Read More

Hacking Oracle XE from Web

October 22, 2013

Note: You can practice the below mentioned hack in our SQLi Lab In last few years, I have done a few talks/webinar on how to exploit SQL Injection in a web application which talks to Oracle database. Particularly, how to execute OS code and do privilege escalation. You may want… Read More

Penetration Testing: The Art or The Science?

September 20, 2013

So, I have been penetration testing for a while now. Over the years, I have seen penetration testing evolve dramatically. Back in the days, tools were not as smart as they are now. Now, we have state of art tools (burp Pro, Net Sparker, HP Web Inspect to name a… Read More

Pwning Postgres 9.1

September 12, 2013

I recently came across a Postgres based SQL Injection in a web application. The database in question was the latest version (9.1). I was in luck and the back-end database user was “postgres” which is the default superuser account in Postgres. If you recall, Postgres and Php allows execution of… Read More