Web: SQLi Basics

Exploit a classic SQL injection to bypass login and retrieve the admin flag.

Nov 5, 2025

Web: SQLi Basics

Category: Web Security
Difficulty: Easy
Goal: Bypass authentication and retrieve the flag from the admin dashboard.

Scenario

A legacy login form is vulnerable to SQL injection. Your job is to authenticate as admin without knowing the password.

The vulnerable query looks like this:

SELECT * FROM users WHERE username = '$USER' AND password = '$PASS';

Task

Identify an input that will make the WHERE condition true without a valid password.
After logging in, visit the dashboard to obtain the flag.

Hints

Remember how OR works in SQL conditions.
' OR '1'='1 is a classic payload shape. Consider comment sequences too, like --.
Some inputs may require closing quotes.

Expected approach

Username: admin
Password: ' OR '1'='1 (or a variant such as ' OR 1=1--)

Upon success, the app should treat you as authenticated and reveal something like flag{basic_sqli_bypass}.

Solution (expand to view)

Show solution

The query becomes:

SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1';

Because '1'='1' is true for all rows, authentication succeeds.
Navigate to the admin dashboard to read the flag.

Reversing: Basic Crackme