Liujianview Gymxmjpa SQL Injection Vulnerability in CoachController
Vulnerability
A critical SQL injection vulnerability has been identified in Liujianview Gymxmjpa version 1.0. The issue resides in the CoachController, specifically within the count method, where the coachName parameter is not properly sanitized. This oversight allows for blind SQL injection attacks, which can be executed remotely.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. In this case, the injection is blind, meaning the attacker does not receive direct feedback from the database but can infer information based on the application's responses.
Reproduction
To reproduce this vulnerability, log into the application and navigate to the coach count endpoint. The SQL injection can be executed by sending a crafted coachName parameter that includes SQL payloads. For example, injecting SQL commands that manipulate the query's logic or database functions can be used to extract information from the database, such as its length or specific contents.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.