Union-Based

A WAF strips forbidden SQL keywords. Inject OFFSET inside reserved words (SELECT → SELOFFSETECT) so after the WAF removes OFFSET the original keyword is reconstructed, landing a UNION SELECT to dump the flag.

The server reads a base64-encoded JSON cookie containing an ID field and passes it unsanitised into a SQL query. Inject a UNION SELECT payload inside the JSON, re-encode as base64, and set the forged cookie to extract the flag in three phases.