The server uses the following Python code, which escapes the username and applies the MD$5$ hash function to the password.

Warning: This target is significantly more difficult than the previous two SQL injection targets. We strongly urge you to start early.

$```$

from hashlib import md$5$

from flask import request

@app.route$("/$sqlinject$/2",$ methods$=["$POST$"])$

def login$()$:

username $=$ request.form$["$username$"]$

escaped$\_$username $=$ mysql$\_$real$\_$escape$\_$string$($username$)$

password$\_$bytes $=$ request.form$["$password$"].$encode$("$latin$-1")$

password$\_$digest $=$ md$5($password$\_$bytes$).$digest$().$decode$("$latin$-1")$

query $=$ "SELECT $*$ FROM users WHERE username$=\text{'}"+$ escaped$\_$username $+"\text{'}$ AND passwc

selected$\_$users $=$ mysql$.$execute$($query$).$fetchall$()$

if len$($selected$\_$users$)>0$:

return "Login successful!"

else:

return "Incorrect username or password."

$```$

This is more difficult than the previous two defenses. You will need to write a program to produce a working exploit. You can use any language you like, but we recommend Python $3.$

Please put all source files for your program into the sql$\_2-$src directory in the starter files. At submission, please archive this directory, making a ZIP file named sql$\_2-$src$.$zip.

Hint: If your script is taking a really long time to run, it may be worth designing an SQL injection that it will have an easier time finding. Consider looking at the W$3$ Schools SQL Operators page for some inspiration.