Sfturing Hosp_Order SQL Injection Vulnerability in OfficeServiceImpl

A critical SQL injection vulnerability has been identified in the Sfturing Hosp_Order application, specifically in versions up to commit 627f426331da8086ce8fff2017d65b1ddef384f8. The issue arises in the OfficeServiceImpl.java file, within the getOfficeName function. The vulnerability is triggered by manipulating the officesName argument, allowing attackers to execute arbitrary SQL commands. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized execution of SQL commands, potentially leading to database manipulation or disclosure of sensitive information. Additionally, according to the vulnerability submitter, this SQL injection could be combined with database extensions to execute system commands, creating further risks such as implanting backdoors through backup functions.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /ssm_pro/orderOffice/1 endpoint. The request must include the officesName parameter, which can be crafted to inject SQL payloads. The OfficeController's orderOffcie method will call the OfficeService's findOrderOfficeNum method, passing the injected officesName argument, thereby exploiting the SQL injection vulnerability.