NoSQL injection here on MongoDB. Just a bit of google to found out https://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/ where the solution is kinda written in plain.
Payload was this: http://188.8.131.52/challenges_x/final/lph/blog.php?id[$ne]=1 that show us all article in the database except the one that has id=1. The SQL equivalent is: "select * from users where id!=1".
This task was a very easy one: strcmp() bypass trick.
A login form is provided with username and password passed via POST method, using the strcmp() attack the request will look like this:
treating password as an array will let us pass the login.