In this challenge a login was provided. You can login it with the credentials that the challenge provide you. After some fuzz we noticed that we can login just using physicist as userid and ‘ or 1=‘1 as password. This is clearly a sort of injection. The we tryed inject ’ or user() and 1=‘1 for see if we were injecting into a SQL query type but we had no luck. So we guessed it was XPath and tryed: ‘ or count(//*) and 1=‘1 and this goes right. Now that we know what type of injection it is we can start dump the flag (which is the password of the account):

Flag: !from_a_local_bookbinder_to_electromagnetism!

nurfed, Razor4x