SideBinder
Hometail's pet browse endpoint was the first thing built in 2017 and the team moved fast. Internal staff notes share the same database.
The Scenario
Hometail's browse endpoint was the first thing built in 2017 and the team
moved fast — get shelters listed, get adopters scrolling, ship before the
Petfinder integration deadline. Internal staff notes — observations about
pets and applications — live in the same database because that's where
the staff portal stores them. One of those notes happens to record an
internal support hotline that adopters were never supposed to see.
Challenge Intel
Synopsis
Hometail's pet-browse query is concatenated. Pivot a UNION across to the staff_notes table to find a private internal support number.
What It Is
Hometail is a free pet adoption platform connecting shelters with adopters. The /browse endpoint accepts a species filter via URL, splices it directly into a 9-column SELECT, and renders the rows as pet cards. Shelter staff log internal observations in a staff_notes table that lives in the same SQLite file. The lesson is the cross-table UNION pivot: the search returns pet data, but you can extract data from any table in the same database by matching column counts and types in the UNION.
Who It's For
Players who know the UNION pattern and want practice pivoting away from the original SELECT's target table.
Skills You'll Practice
- Identifying SQLi in a species filter parameter
- ORDER BY column-count probing (9 columns)
- Cross-table UNION extraction via sqlite_master enumeration
- Mapping arbitrary table columns into the rendered slot
What You'll Gain
- Reflex for cross-table UNION pivots
- Pattern recognition for staff/internal tables as flag targets
Ready to hack SideBinder?
Upgrade to Pro to unlock this challenge and the full library.