Additional SQLi attack in registration servlet not counted as passed challenge -- register as administrator

[julianthome]

It is possible to run a SQLi attack through the register.jsp servlet that allows new users to register as administrator.

1. Go to register.jsp
2. Put in H@ans','ADMIN','12345') in the username field
3. Put 12345 in the password fields
4. Click register button
5. Go to admin.jsp where the user is listed as root user