Back to SQLi

SQLi 10: Data Leak

Goal: leak the hidden admin discount code from another table.

Hints
  • The query expects two columns back.
  • This endpoint trusts raw numeric input without quotes.
  • Think about combining the normal result set with your own rows.
Why this works

Unsafe interpolation in SQL lets attackers change the entire query shape and read data from tables the endpoint was never meant to expose.