SingleFile
Bound & Set's couple-search returns a single, tightly-formatted result per match. The same database holds more than registry entries.
The Scenario
Bound & Set's couple-search was the first endpoint built when the
platform launched in 2018. The display layout — couple names plus
wedding date in one rendered cell — has stayed the same through three
redesigns of the rest of the site, because the brand designer baked it
into the print materials and changing the web format would have meant
reprinting the wedding-shop kits. The integration config for the
partners side of the business shares the database.
Challenge Intel
Synopsis
Use UNION-based SQLi against a single-column search render. The trick is using GROUP_CONCAT to pack multiple rows or columns into the one visible cell.
What It Is
Bound & Set is a wedding registry platform. Their public couple-search at /find returns one rendered column per match (the couple's display string). The SELECT is built by string-concatenating the URL parameter into a LIKE expression on the registries table. The internal_kv table — holding integration secrets — lives in the same database. UNION-based extraction works, but each UNION row contributes only one visible value. To dump multiple rows or multiple columns of a target table efficiently, the player uses GROUP_CONCAT to pack the data into one string per UNION row.
Who It's For
Players who know UNION-based SQLi and want practice on the single-column / multi-value extraction pattern.
Skills You'll Practice
- Single-column SELECT UNION extraction
- GROUP_CONCAT for multi-row / multi-column data packing
- MySQL information_schema enumeration
- WHERE-clause filtering in UNION queries to pinpoint a row
What You'll Gain
- Reflex for GROUP_CONCAT when render slots are limited
- Comfort with single-column UNION extraction
Ready to hack SingleFile?
Upgrade to Pro to unlock this challenge and the full library.