Liujianview Gymxmjpa SQL Injection Vulnerability in GoodsController
Vulnerability
A critical SQL injection vulnerability has been identified in Liujianview Gymxmjpa version 1.0. The issue arises in the GoodsDaoImpl function within the GoodsController.java file, where the goodsName parameter is not properly sanitized. This flaw allows for remote exploitation by injecting malicious SQL that could be executed by the database.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
The vulnerability can be reproduced by sending a request to the goods/count endpoint with a crafted goodsName parameter. The injection can be verified by using SQL payloads that, for example, test the length of the database name or extract database information character by character. This demonstrates that the injected SQL is executed and the application is vulnerable to SQL injection attacks.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.