huija bicycleSharingServer SQL Injection Vulnerability in AdminController

A critical SQL injection vulnerability has been identified in huija bicycleSharingServer version 1.0. The issue arises in the AdminController.java file, specifically within the selectAdminByNameLike function. This vulnerability allows for the execution of arbitrary SQL commands by manipulating the 'name' parameter through a GET request. The injection point is exploited by sending crafted requests that include SQL payloads, which are then executed by the application's database management system. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands in the application's database context. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to the 'admin-admin-searchadmin-show' endpoint with a crafted 'name' parameter that includes SQL injection payloads. The request will be processed by the 'selectAdminByNameLike' function in the 'AdminController.java' file, where the injected SQL commands will be executed by the application's database.