sql-so-hard is an excellent challenge from the 2017 HITCON CTF 2017 Quals written by orange.
The challenge text was (after a hint was released):
Shell please
http://localhost:31337/
Hint: [Here][target] is the target. But how to make the check FAIL?
The goal is to steal the flag (located in this instance as /flag) remotely.
To run the challenge locally on your machine:
docker run -p 127.0.0.1:31337:31337 -it adamdoupe/sql-so-hard
Once this completes you should be able to connect to the instance at http://localhost:31337