This challenge was written for Ruxcon CTF 2015. It's an SQL injection mixed with a remote code execution.