## `careers.inlanefreight.local` - visit page ![[images/Pasted image 20260628153252.png]] - looks like i can register an account ![[images/Pasted image 20260628153306.png]] - when I go to login as the newly registered test user i see a potential IDOR or SQLi ![[images/Pasted image 20260628153359.png]] - try `?id=1-8` - james, harry, tom, htb-student, jerry, james, john, john > add to `users.txt` - run `sqlmap` ```bash sqlmap -u http://careers.inlanefreight.local/profile?id=9* --batch --level=5 --risk=3 ``` - not injectable ![[images/Pasted image 20260628202216.png]]