## `careers.inlanefreight.local`
- visit page ![[images/Pasted image 20260628153252.png]]
- looks like i can register an account ![[images/Pasted image 20260628153306.png]]
- when I go to login as the newly registered test user i see a potential IDOR or SQLi ![[images/Pasted image 20260628153359.png]]
- try `?id=1-8`
- james, harry, tom, htb-student, jerry, james, john, john > add to `users.txt`
- run `sqlmap`
```bash
sqlmap -u http://careers.inlanefreight.local/profile?id=9* --batch --level=5 --risk=3
```
- not injectable ![[images/Pasted image 20260628202216.png]]