Sfturing Hosp_Order SQL Injection Vulnerability in DoctorServiceImpl

A critical SQL injection vulnerability has been identified in the Sfturing Hosp_Order application, specifically in versions up to 627f426331da8086ce8fff2017d65b1ddef384f8. The issue arises in the DoctorServiceImpl.java file, within the findDoctorByCondition function. The vulnerability is triggered by manipulating the hospitalName argument, allowing attackers to execute arbitrary SQL commands. This issue can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized execution of SQL commands, potentially leading to database manipulation or disclosure of sensitive information. Additionally, according to the vulnerability submitter, this SQL injection could be combined with database extensions to execute system commands, creating further security risks.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /ssm_pro/allDoctor/1 endpoint. The request must include a crafted hospitalName parameter that exploits the SQL injection vulnerability. Other parameters such as doctorTitle, doctorAdministrative, and doctorDegree can also be included, but the injection point primarily lies within the hospitalName parameter.