Just like v1 this one also has SQL injection but this time flag is not in contents of page 1 like last time. The Following query gave us the flag in base64: ?p=2,1 UNION SELECT * FROM flag