tl;dr Rename table and exploit SQL Injection to get the flag. # Challenge Description Who let the blacklists out? # Source Code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 <?php require('database.php'); $user = $_GET['user']; $pass = $_GET['pass']; if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass)) { highlight_file(__FILE__); exit; } $mysql = get_db(); $mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'"); do { if ($result = $mysql->store_result()) { if ($row = $result->fetch_assoc()) { echo json_encode($row) .