I’ve been trying to get into a box on @PracticalPentestLab using SQL injection. When you are trying SQL injection, you need to think about the statement you are injecting into. On basic forms, there is a username and a password spot awaiting user input. The statement asking for this info from the user on the simpler CTF don’t use what is called prepared statements, where the username or password field (or any user-inputted data) is not trusted by the database. This means they are vulnerable to SQL injection.
In the past, I’v been able to use a simple syntax like (‘ or 1=1–) in the username field right after any legit username, typically try admin first, and for simple CTF’s this is enough. For this particular box, I’ve tried (admin’ or 1=1#) or (admin’or 1=1*/) because sometimes languages use # or */ in addition to — for commenting the rest of the line out. None of these worked, and there are variations to try as well, such as (admin’ or ‘1’=’1–) or (admin’ or ‘1’=’1′). These are simple types that shouldn’t work in real life but work on the easier CTF’s and labs as an example of how it should work.
My favorite source of info on SQL injection was computerphile on YouTube. search computerphile and SQL injection and you’ll find Tom’s video and its a great basic explanation of what it is.