TL;DR: The flag is in one of the database tables and can be retrieved with a select statement. [Full writeup here](https://github.com/ryan-cd/ctf/tree/master/interIUT-2020/mon_sql_injection_1).

Original writeup (https://github.com/ryan-cd/ctf/tree/master/interIUT-2020/mon_sql_injection_1).