Command Injection & Other Injection Labs
When user input flows into shell commands or interpreted contexts unsafely, attackers can break out and execute arbitrary code. These labs teach you to recognise and exploit injection points in command-line, template, and similar contexts.
Injection bugs span shell command injection, OS command injection, template injection, and more. These labs use simulated but realistic backends so the exploits work the way they would in production targets.
Command Injection — Network Ping Tool
NetTools' diagnostic page lets users ping a host. The backend builds the ping command by concatenating the host name straight into a shell. Read the contents of /flag.
LDAP Injection — Filter Manipulation
DirectoryBox authenticates via LDAP — the username and password are concatenated into an LDAP filter. Inject LDAP filter syntax to bypass authentication.
NoSQL Injection — MongoDB Operator Bypass
MongoLogin accepts JSON authentication. The backend builds a MongoDB query directly from the request body. Inject MongoDB operators to bypass authentication and log in as admin without knowing the password.
XPath Injection — Login Bypass
XmlAuth stores users in an XML doc and authenticates by building XPath queries from form input. Inject XPath syntax to bypass authentication and log in as admin.
XXE — External Entity File Read
DocParse accepts XML uploads and parses them with external entities enabled. Inject an external entity reference that reads /etc/passwd from the server's filesystem.
Server-Side Template Injection — Email Preview
MarketingHub's email preview lets you write a template with {{name}} and {{company}} placeholders. The template engine accepts arbitrary expressions, not just variable names. Read the secret config value.