Hi everyone, recently I have tried on Red Tiger Hackit level 2. It is a simple SQL injection bypass authentication. I have keep trying inject SQL in the username field, and I kept failing. At one point I have enough, I captured the POST request and use it with sqlmap. Turns out sqlmap told me that username input field is non-injectable but password can! Any one an idea hows this happen ?
Success payload:
username=blue&password=1’ or ‘a’='a&login=Login
Fail payload:
username=1’ or ‘a’='a&password=blue&login=Login