# [EN] LoTuX CTF Min 1 ###### tags: `Writeup` `Web` `Chinese` > [name=Curious] ## Train of Thought & Solution Continuing from the previous question [LoTuX CTF Min 0](https://hackmd.io/@LoTuX-CTF/LoTuX_CTF_Min_0_CH), you can obtain the code for this website. Upon analyzing, you can see in `profile.php` that: ```php $query = "SELECT * FROM users WHERE username = '" . $_SESSION["username"] . "'"; ``` This can lead to SQL Injection, so we need to register a user with a `username` as a payload. Furthermore, as we learned from the previous question, reverting to the previous commit will provide an initialized database `init.sql`, so we can infer that the flag will be in the `content` column inside the `secret` table. Therefore, you can register a username as `' UNION SELECT id, tag, content, NULL FROM secret #` in `/profile.php` to obtain the flag. {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}