Rating:
Given this code:
```
$username = mysqli_real_escape_string($db, $username); // prevent SQL injection
$password = md5(md5($password, true), true);
$res = mysqli_query($db, "SELECT * FROM users WHERE username = '$username' AND password = '$password'");
```
Variable `$password` is hashed into raw output. We just need to find the input that gives SQL injection. We modified hasherbasher from here https://github.com/gen0cide/hasherbasher to accept md5(md5(input)) instead. We found 6pNKKedhmuEETxbpHVK as the input, containing SQL injection payload `xgCߩ#i��b_'oR'6` as the output.
