Appointment introduces SQL Injection (SQLi) — the #3 vulnerability in the OWASP Top 10 and one of the most impactful web application flaws ever discovered. When user input is inserted directly into a SQL query without sanitisation, an attacker can manipulate the query logic to bypass authentication, extract data, or in some configurations achieve remote code execution. This machine focuses on authentication bypass via a classic login form injection.
| Skill | Why it matters |
|---|---|
| Web application recon | Identifying the tech stack before probing inputs |
| SQL injection fundamentals | Understanding why unsanitised input breaks query logic |
| Authentication bypass via SQLi | Logging into any account without knowing the password |
| Comment syntax across databases | -- vs # vs /* */ — each SQL dialect has its own comment characters |
Apache on port 80. Browse to the IP and you're presented with a login form. The stack is Apache + PHP — a classic combination where SQL injection vulnerabilities were historically rampant.
This may reveal login.php and other endpoints. For this machine the login form at the root is the target.
A typical login query in PHP looks like this:
When you submit admin as the username, the resulting query is:
But if you submit admin'# as the username, the query becomes:
The # character begins a comment in MySQL — everything after it is ignored. The password check is completely removed. The query returns the admin user and the login succeeds.
# or -- (with trailing space). PostgreSQL and MSSQL use -- . Oracle uses -- . All support /* */ block comments.In the login form, enter the following payload as the username. Use anything as the password field — it will be ignored.
Login succeeds. The flag is displayed on the authenticated dashboard.
admin'# payload doesn't work, try admin'-- - (double dash, space, dash) which is the ANSI-standard SQL comment syntax and works across all databases.| Payload | Effect | DB |
|---|---|---|
| admin'# | Comments out password check | MySQL |
| admin'-- - | Comments out password check | All |
| ' OR '1'='1 | Always-true condition | All |
| ' OR 1=1-- - | Always-true, comments rest | All |
| admin' OR '1'='1'# | Matches any user with always-true | MySQL |
| ' OR 'x'='x | Classic always-true bypass | All |
| ') OR ('1'='1 | Parenthesis variant for complex queries | All |
| Technique | What it enables |
|---|---|
| UNION-based injection | Extract data from other tables — usernames, password hashes, emails |
| Error-based injection | Retrieve data via crafted error messages when output isn't directly shown |
| Blind boolean injection | Infer data byte-by-byte when there's no visible output |
| Time-based blind injection | Use SLEEP() to infer data when there's no output and no errors |
| INTO OUTFILE (MySQL) | Write arbitrary files to the filesystem — webshell upload |
| xp_cmdshell (MSSQL) | Execute OS commands directly from SQL — full RCE |
SQL injection has been in the OWASP Top 10 since its inception. Despite decades of awareness, it remains one of the most commonly found vulnerabilities in web application assessments.
| Concept | Real-world relevance |
|---|---|
| Always try manual SQLi first | A single quote in a form field is still the fastest way to detect injection before reaching for sqlmap |
| Auth bypass is instant critical | Logging in as admin with no password has an obvious and immediate business impact |
| Parameterised queries prevent SQLi | Prepared statements completely eliminate injection — the fix is well-understood and has no performance cost |
| SQLi → RCE is possible | In the right database configuration, SQL injection can escalate to full OS command execution |