Tags: sqli 

Rating:

1. Note the template string with injection from request body.

2. Note the bodyParser library uses the `extended` option, parsing arbitrary JSON objects.

3. Send a POST where the request body is a some SQL injection and overriding the includes field:

- `username=admin&password=' or true --&password[includes]=undefined`

4. Get the flag: `dice{sq1i_d03sn7_3v3n_3x1s7_4nym0r3}`

Original writeup (https://gist.github.com/AshishMahto/48eeee18b497036261df7ae274644c97/).