ShelfLabel
Cedar Books built their title-search the simplest way they could. Other tables share the database.
The Scenario
Cedar Books is a high-volume used-bookstore-by-mail out of Asheville. The
search bar across the top of every page was built in 2014 alongside the
rest of the catalog and never revisited — fast, direct, the kind of code
that ages from "good enough" into "load-bearing" without anyone noticing.
Warehouse operations notes live in the same database because that's where
the staff portal stored them in 2014 and no migration ever happened.
Challenge Intel
Synopsis
Use a UNION-based SQL injection in Cedar Books' search to read an entry from an internal-notes table that shares the database.
What It Is
Cedar Books is a used-bookstore-by-mail. Their search bar searches the books table via a LIKE clause built with string concatenation. The search results render seven columns and naturally fall back to showing whatever you UNION in. This is the canonical UNION-based SQLi exercise — find the column count, find a column that renders as visible text, pivot to a sensitive table. Framed against a real bookstore catalog UI rather than an abstract sqli-test endpoint.
Who It's For
Players moving past 1' OR 1=1 -- who want to practice the column-count → column-type → UNION-extraction sequence on a realistic search results page.
Skills You'll Practice
- Quote-breaking SQLi in URL parameters
- Discovering column count via ORDER BY probing
- Identifying text-rendering columns via NULL+probe UNIONs
- Enumerating tables via sqlite_master
- Extracting data from a non-search table via UNION
What You'll Gain
- Confidence with the UNION sequence end-to-end
- Habit of treating any search result as a render-target for arbitrary SELECTs
Ready to hack ShelfLabel?
Upgrade to Pro to unlock this challenge and the full library.