A login page was showed up when we try to access the website.

It also had source code, so let's review it first.

We can see on the flags on database.sql as a toy name.

From routes/index.js you can see what happened if we request into /api/toylists. It first check our username. If it equals to admin, then the approved are changed into 0 and listToys() were called with approved value. But if our username was not equal to admin, then the listToys() were called with approved default value, which is 1.

The listToys function was defined on database.js. It doing sql request for all column where the approved value are the parameter which being inputed on routes/index.js above.

So we need to login into admin account because the flags "approved" value are 0. We can do this with sql injection since the user's input are passed directly into the queries.

You can logged in as admin with this payload