R·D Intel

I Bypassed a Company Login Without Knowing Any Password — My First SQL Injection Story | by Blessing - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original I Bypassed a Company Login Without Knowing Any Password — My First SQL Injection Story Subtitle: How a simple trick in a practice lab showed me why so many login pages can be dangerous… and how I did it with just my browser… Blessing Follow ~5 min read · April 3, 2026 (Updated: April 3, 2026) · Free: Yes Subtitle: How a simple trick in a practice lab showed me why so many login pages can be dangerous… and how I did it with just my browser. A beginner-friendly breakdown for fellow beginners coming up in cybersecurity. The Story Imagine you reach the gate of a big company in your city, but instead of showing your ID card, you just whisper one magic sentence, and the security man opens the gate wide for you — no questions asked. That's basically what happened in my Day 12 hands-on lab. I was practicing on this employee portal called CorpPortal. It looked like a normal company login page where workers are supposed to enter their username and password. Normal people would think "if you don't know the correct password, you can't enter." But I discovered something scary: I entered the login page without any real password and still got inside. Let me tell you exactly how it happened, step by step, in a way even my neighbor who isn't tech savvy can understand. First, I Checked How the Normal Login Works I opened the login page on my Parrot OS (my hacking laptop). I typed a correct username and password (the ones the lab gave me). Boom! The page welcomed me as an "employee" and took me to the dashboard. Then I tried wrong details on purpose. The site simply said, "Invalid login" and nothing else. That's how every secure login is supposed to behave, right? Screenshot #1 — Login page with valid credentials entered Screenshot #2 — Dashboard after successful normal login Then I Looked Behind the Scenes I pressed F12 on my keyboard to open the browser's "developer tools" (like peeping behind the curtain of a website). I went to the Network tab and logged in again while watching what my browser was sending to the server. I saw that the username and password were being sent plainly through something called a "POST request." Nothing fancy yet. Screenshot #3 — DevTools Network Payload tab showing username and password fields sent via POST The Moment I Suspected Trouble I decided to test something naughty. Instead of a normal username, I typed this in the username box: ' OR Ƈ'=Ƈ And I put any random thing in the password box. Immediately, the site threw an error — "Internal Server Error" (that 500 error). Why did it break? Because that single quote (') I added confused the computer's database query. It was like I interrupted the sentence the app was trying to say to the database. This error told me: "This login form is not protecting itself properly." That's the first red flag for SQL Injection Screenshot #4 — Test string entered in username field and the resulting 500 Internal Server Error Then Came the Real Magic — Authentication Bypass Now I refined the trick. I put this in the username field: ' OR Ƈ'=Ƈ And in the password field, I typed anything (even "pass123" which may not be correct). Guess what happened? The site accepted it and took me straight to the employee dashboard! It showed "Welcome employee — Your role: employee" just like when I used correct credentials. I didn't know any real password. I didn't guess anything. I just used that small payload and the login door opened by itself. Screenshot #5 — DevTools Payload tab showing bypass payload sent, dashboard access granted Screenshot #6 — Dashboard showing: Welcome employee — Your role: employee So, What Actually Happened? (Simple Explanation) Think of the login system like this: The app was asking the database: "Find me a user where username is [whatever I typed] AND password is [whatever I typed]." When I injected ' OR Ƈ'=Ƈ, I changed the question to something like: "Find me a user where username is [nothing] OR 1 equals 1 (which is always true)…" Because "1 equals 1" is always true, the database just returned the first employee it found and said "Yes, this person can come in." The app never properly checked the password anymore. That's SQL Injection in simple terms — I tricked the database by talking its own language inside the login box. Why This Is a Big Deal (Impact) Anyone on the internet who finds this kind of login page can log in without knowing passwords. They can see employee data, maybe change things, or even escalate to admin if the app allows it. No special hacking tools needed — just a normal browser. This is why it's rated HIGH severity. What Should the Developers Do? (My Recommendations) Here are simple fixes that would have stopped me: Use Parameterized Queries (the most important one) Treat user input like data, not like part of the instruction. This is like separating the ingredients from the cooking recipe. Never join (concatenate) user input directly into SQL statements. Use modern tools like SQLAlchemy (an ORM) which protects you automatically. Add rate limiting — e.g., lock the account after few wrong attempts so people can't keep testing tricks. Log suspicious inputs (like those with single quotes or SQL words) and get alerted. My Takeaways as a Beginner This lab taught me that even small mistakes in how you write code can open big doors for attackers. As someone still learning, it felt good to see the theory work in practice. There were moments I got stuck (especially when the 500 error first appeared), but I kept trying different payloads until it clicked. If you're a beginner like me, don't be afraid to break things in safe labs like this. Every error is a lesson. The grind continues! #EthicalHacking #SQLInjection #Cybersecurity #BugBounty #CTFWriteup #PenetrationTesting #LearnHacking #ctf-writeup #bug-bounty #cybersecurity #ethical-hacking #infosec Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).