Missing flag for the exercise in SQL Injection Fundamentals module's "Subverting Query Logic" section

Hi,

I’m going through the SQL Injection Fundamentals module and I am unable to obtain the flag for the exercise in the “Subverting Query Logic” section despite performing a successful bypass. There’s no flag on the page:

image1159×278 24.6 KB

<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="utf8">
  <title>Inlanefreight</title>
  <link rel="stylesheet" href="./style.css">

</head>

<body>
  <!-- partial:index.partial.html -->
  <hgroup>
    <h1>Admin panel</h1>
    <h3>
      Executing query: SELECT * FROM logins WHERE username='tom' AND password = 'admin' or '1'='1';<br /><br /><font color="green">Login successful as user: admin</font><br /><br />Click <a href='/'>here</a> to try again      <!-- partial -->
      <script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
      <script src="./script.js"></script>

</body>

</html>

Maybe it’s a bug? Not sure what to do at this point so I’m posting here.

I think I found the bug, the section wants me to login as tom but the page says that I logged in as admin (even though username = 'tom').

The exercise in the next section works fine and doesn’t have this bug.

It’s actually a bug in my payload, not the application itself! Should’ve scrutinized it more closely but for some reason I thought the exercise itself got broken somehow, LOL.

Thanks to Ryan from the support team who gave a detailed explanation:

This is not a bag, it’s just that when the symbol ' is added at the beginning, it treats it as a string. To fix this, the starting and ending ' symbols need to be removed.