Secure Legion Labs
Injection Lab
SQL Injection - Login Bypass
This room is now a real login-bypass lab. You only get a username and password panel, and the SQLi challenge grows from basic to advanced through multiple stages of broken query handling.
Clear each SQLi stage
The stage buttons below switch the backend behavior. Basic accepts classic payloads. Later stages try weak defenses that still fail in different ways.
What the application gets wrong
No matter the stage, the root problem stays the same: the application is still building SQL from raw input instead of parameterizing the query. The filters only change what the attacker has to adapt around.
SELECT * FROM users WHERE username = '' AND password = ''Attempt login
Use only the username and password fields. The stage logic changes behind the scenes, but the front-end stays like a normal login page.
SELECT * FROM users WHERE username = '' AND password = ''{ "status": "idle" }Rendered result
The backend returns whichever account the broken SQL logic resolves to. Your target in every stage is unauthorized admin access through injection, not a normal credential match.
Status: waiting for a login attempt.
Challenge flag
The flag appears after all SQLi stages are completed successfully.
Validate completion
Submit the unlocked flag to complete the SQL injection lab.
Flag is locked until you complete every SQL injection stage.
How the SQL injection works here
The backend accepts a username and password from the login panel.
The application still concatenates raw values into the authentication query.
A crafted payload changes the authentication condition so the admin account is returned without the real password.