Xierongwkhd Weimai-Wetapp SQL Injection Vulnerability in HomeController Endpoint

A SQL injection vulnerability has been identified in the Xierongwkhd Weimai-Wetapp application, specifically in versions up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. The issue arises in the 'getLikeMovieList' function within the 'HomeController.java' file. The vulnerability is caused by the 'cat' parameter being passed without proper sanitization, allowing for SQL injection attacks. This flaw can be exploited remotely, and the current database user can be retrieved as part of the exploitation.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to the '/home/getLikeMovieList' endpoint with an unsanitized 'cat' parameter. The request can be made using a tool like SQLMap, which can automate the injection process and exploit the vulnerability.