SQL Injection — Login Bypass

Scenario

You are testing a freshly-built admin portal for AcmeCorp. Their developer wrote the login query as a single concatenated SQL string. You don't have a valid password — but you don't need one.

Objective

Log in as the admin user acme_admin without knowing the password. When you reach the post-login dashboard, copy the flag string and paste it into the Submit Flag box below.

The flag has the shape TC{sqli_…}.

Primer — why this works

If the back-end builds the query like:

SELECT * FROM users
 WHERE username = 'acme_admin'
   AND password = '<your input>'

…and you set the password field to:

' OR '1'='1

…the resulting query becomes:

SELECT * FROM users
 WHERE username = 'acme_admin'
   AND password = '' OR '1'='1'

'1'='1' is always true, so the OR clause makes the entire WHERE true and the database returns the admin row regardless of password.

Steps

1. Open the lab in the right pane.
2. Enter username acme_admin.
3. Enter a password that closes the SQL string and forces the boolean to TRUE.
4. Click Login.
5. On the dashboard page, find the displayed flag and paste it below.

Acceptance

• You log in without using the real password (hunter2 — don't use this; the lesson is to bypass the check, not guess it).
• You read the flag from the post-login page.
• The flag you submit matches the canonical SHA-256 the server holds.

Out of scope (deliberately)

• Time-based / blind SQLi → see SQLi — Blind.
• UNION-based dump → covered in SQLi — Schema Discovery (week 3).
• WAF bypass → out of scope for v1.