The lab at this level includes login functionality. Therefore, in order to complete the lab, we must circumvent the login functionality by utilising SQL Injection techniques.

So As you can see in Below Screenshot the there is a login page and as you can see in the Hint that there is a “Condition” So from this we can conclude that the Condition for checking is differently executed.

So let’s try to log in with random credentials

As you can see above I have entered the random credentials as we can see in the response it is displaying “Login incorrect!”

So now I am entering let’s try Entering General payload from that we start testing the filter

So payload would be

A’ or 1=1– -

Due to our belief that all conditions following the username condition will be commented, let’s enter the aforementioned payload into the username field and random characters into the password field.

Let’s try that, then.

However, after entering that, it is responding as stated above.

Therefore, let’s try entering the aforementioned payload in both fields.

We receive the message “Some things are disabled!” after entering the aforementioned payload in the response.

We can infer from the above response that something is being blocked from our payload.

So let’s attempt to alter the payload in order to avoid the WAF(Web Application Firewalll).

Let’s substitute “#” for the comment “– -” so that the payload would be

A” OR 1=1-- -

Let’s Execute the Payload in Both field

As you can see, we have the key to the subsequent level.

Thank you I hope you got to learn something out of it.