SQL vulnerability in tduck-platform

[myh2022]

1. The code vulnerable to SQL injection is located as follows(com.tduck.cloud.form.service.data.FormDataMysqlService), This code directly concatenates SQL statements, leading to the SQL injection vulnerability

2. Then, within the downloadFormResultFile method of the downloadFormResultFile class(com.tduck.cloud.api.web.controller.downloadFormResultFile), this method is invoked.
   

3. According to the route information, access the URL address, and use error-based injection to retrieve the database name, thereby verifying the existence of the vulnerability.