Review: SQLi Labs (

Our crew likes to take on a good CTF pretty regularly, and a little while back we saw that the team at NotSoSecure was planning on holding an SQLi CTF in mid-April this year (right around the corner). They also offer access to a VPN containing a ton of SQLi challenges on a variety of backend databases including Postgres, MS SQL 2008 and Oracle – not just the standard MySQL.

I signed up just on a month ago today, got my SQLi on, and figured it was worthy of review.

Payment and Registration
First thing’s first. How much? $99 American dollarinos gets you 30 days access to the lab via VPN. Pretty reasonable. I paid via Paypal, but if for some reason you can’t (or won’t), the guys will accommodate you as best they can with an alternative payment method. It took around 2 days for the registration to process, and I was emailed my creds (yeah I know, but hey … $99…) along with the PPTP VPN endpoint to connect to (I know, I know…but again…$99…) and I was away. If you want, you can reach out to the NotSoSecure team before paying and let them know that you’d like a delayed start to the 30 days (great for those times where you have the training $$$ to spend, but not the time on hand to put into the labs), and they’ll help you out with that.If 30 days isn’t enough, the guys will happily relieve you of another $99 USD to extend your stay another month.

Accessing the SQLi Labs
So I mentioned access is via PPTP VPN – I had a little hurdle with my setup on Kali, but all worked  after manually adding a route. VPN stability is pretty good once you are connected, but there were a few times where I had to wait 10 or so minutes to get the connection to stick.

Training Material
For those big bucks, you shall receive:
  • Instructional PDF;
  • 27 SQLi challenges, each containing a target and a flag to retrieve;
  • Written solution for each challenge, with a varying degree of educational information;
  • Video walkthroughs for each solution, which are pretty detailed and contain a good amount of additional information; and
  • A certificate of participation.

The videos are great for those particular attacks or concepts that aren’t absorbed into your brain immediately, and the written solutions contain links to additional material that help explain these in more detail. The topics covered in the lab material include:

  • Authentication Bypass
  • Data Extraction
    • Error based
    • Union based
    • Blind SQLi
    • DNS Exfiltration
    • Bypass WAF/Black Listing
  • Advanced Exploitation
    • File read/write
    • Code execution
  • Advanced Identification/Exploitation
    • Order by/group by
    • Double Encoding/decoding
    • Injection in Insert/Update
    • Other HTTP fields
    • Injection in stored procedures
    • 2nd order Injections
    • GBK encoding
    • UTF-7 decoding
    • Truncation issues
 Thoughts and comments
Personally, for $99, I think this is great value if you’re interested in expanding your SQLi skills, or just want an environment to go nuts in with sqlmap on differing platforms. One thing that was great about the lab is that it’s not set up for non-stop automated pounding from sqlmap for each challenge – there was quite a bit of manual URL, field and proxy probing which helps solidify the concepts being demonstrated. There’s a clear escalation in complexity as the challenges progress, introducing filtering and escaping to thwart your injections as you move towards the advanced challenges, and concepts like truncation, second order injections and of course code execution to represent real world scenarios. It really is a mix between a lab and a course – you’re not left wondering how to attack a particular db as the videos walk you through the process. I found myself a couple of times carefully checking the first part of a particular challenge answer (both the PDFs and creeping through the video solutions) just to get a bit of a hint on the vector, then quickly going back to the lab to try it myself.
Some of the presentation material wasn’t 100% (spelling/grammar) but it wasn’t a huge deal. To indulge my OCD side, the numbering of each file in the training material package and the order of the challenges could also have been tweaked to give it that corporate shine, but none of these minor issues detracted from the content and effectiveness of the lab. I’ve already mentioned a few connection issues, but again – minor. Other improvements could include encrypted lab access passwords and SSL or IPSEC VPN connectivity, but at the current price, this is hardly unforgivable.SQLi Labs is a perfectly priced playground with no frills and a guarantee that you’ll finish up knowing more than you did about SQLi (and probably have some fun too).I’d definitely recommend this to anyone with an interest in expanding their injection skills.

UPDATE 2015-12-13
The labs are now hosted with Security-Tube.sw1tch

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.