Description
There is a new [Irish-Name-Repo](http://link) website. Can you log in as admin?
Solution
Walk me through it- Step 1Identify the login formNavigate to the challenge URL. There is a login form asking for username and password. Try submitting a SQL injection payload as the username.
Learn more
SQL injection occurs when user-supplied input is embedded directly into a SQL query without proper sanitization. A classic login query looks like:
SELECT * FROM users WHERE username='INPUT' AND password='PASS'.If INPUT is controlled by the attacker, inserting a single quote can break out of the string literal and change the query's logic.
- Step 2Use a SQL injection bypass payloadEnter
admin'--as the username and anything as the password. The double dash comments out the rest of the SQL query, so the password check is skipped entirely.Learn more
The payload
admin'--transforms the query into:SELECT * FROM users WHERE username='admin'--' AND password='...'. Everything after--is a comment in SQL, so the password condition is never evaluated.Alternatively,
' OR 1=1--makes the WHERE clause always true, returning all rows and logging you in as the first user in the database (often admin).Modern applications prevent this with parameterized queries (prepared statements), which treat user input purely as data, never as SQL syntax.
- Step 3Retrieve the flagAfter successful login, the page displays the flag. Copy it.
Learn more
SQL injection has been in the OWASP Top 10 most critical web security risks for over a decade. Despite being well-understood, it remains common because developers sometimes build queries with string concatenation rather than parameterization.
Flag
picoCTF{...}
Use `admin'--` as the username to comment out the password check in the SQL query.