Gain access to `nicholas`’s account

Difficulty: Hard

UnicornBox uses token-based authentication. The database stores a table that maps session tokens to users:

CREATE TABLE IF NOT EXISTS sessions (
    username TEXT,
    token TEXT,
    -- Additional fields not shown.
);

Whenever an HTTP request is received, the server checks for a session_token value in the cookie. If the cookie contains a token, the server selects the username corresponding to that token from the sessions table.

Your task: Gain access to nicholas’s account.

Tips

Cookie values may contain anything other than semicolons, which are used as delimiters in cookie syntax.
This solution has been tested on Chrome and Firefox. If you’re running into issues on other browsers, we recommend switching over to Chrome or Fiefox!
Consider looking into the UNION keyword to return the result of two queries without usage of a semicolon.
It is possible to select constants in SQL rather than selecting column names. For example, SELECT 1, 'foo', 'evan' will return a single row with 3 columns, with values of 1, 'foo' and 'evan'. You may find this useful if you can guess the format of the rows being selected in one of the server’s SQL queries.

Gain access to nicholas’s account

Tips

Gain access to `nicholas`’s account