Unconditionally secure communication, which has been pursued for thousands of years hasn't, however, yet been reached due to a continuous competition between encryption and hacking. Quantum key distribution (QKD), harnessing the quantum mechanical nature of superposition and noncloning, may promise unconditional security by incorporating the one-time pad algorithm rigorously proved by Claude Shannon. Massive efforts have been made in building practical and commercial QKD systems; in particular, decoy states have been employed to detect photon-number splitting attacks against a single-photon source loophole, and measurement-device-independent (MDI) QKD has further closed all loopholes on the detection side, which leads to a seemingly real-life application. Here, we propose and experimentally demonstrate a MDI-QKD hacking strategy on the trusted-source assumption by using an injection-locking technique. An eaves-dropper (Eve) injects near off-resonance photons with randomly chosen polarization into a sender's laser, where injection locking in a shifted frequency can happen only when Eve's choice matches the sender's state. By setting a shifted window and switching the frequency of photons back afterwards, Eve in principle can obtain all the keys without terminating the real-time QKD. We observe the dynamics of a semiconductor laser with injected photons, and obtain a hacking success rate reaching 60.0 % of raw keys. Our results suggest that the spear-and-shield competition of unconditional security may continue until all potential loopholes are discovered and closed ultimately.