Sqli

Box info | OS: Linux Debian 10 (Apache/2.4.38) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: SQL injection, authentication bypass, blind SQLi, sqlmap Pwned: 2026-04-28 TL;DR Appointment is a Tier 1 web box running Apache 2.4.38 on Debian 10 with a PHP login form backed by MariaDB. The username POST parameter is directly interpolated into a SQL query with no sanitization. A classic ' OR '1'='1' -- - payload bypasses authentication and triggers the flag to appear in the HTTP response. Going deeper with sqlmap confirms boolean-based blind injection, extracts the appdb database schema, and dumps two user records — including a plaintext password for a test user. The lesson: unsanitized SQL interpolation in authentication queries is still widespread, and it can be exploited by any attacker who knows three characters: ', --, and 1. ...