pwn 0.4.886 → 0.4.888

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5a85fbb128c8c5ba0dafc425373d33839998f866ccc0982b9d0f596ce7ee2411
-  data.tar.gz: ab8a86d182d5cc69e7509596bd38a0515b2c8c0b532ca61b59675558fb5df554
+  metadata.gz: 5c9290a5c2e09f3306dfebf9d4a557f5ee9d63ab0a909650af515c99fccdf7a1
+  data.tar.gz: 9ef4d20e21c19bca22c9c678b50dcad41ab00747a09c9a059f06f58ec70d2721
 SHA512:
-  metadata.gz: d3ef35410455de329014f16c01c6498ce9e7540a1edbf2028b3c181297e47084a4439e7e6344892ce33685868599cd44f3ffb21008bfcd83695f6b1931067a95
-  data.tar.gz: 0e3155be591274c629fc0dd73a45d94b830261af83bf4a074d05c4579d0eea110815f5efb6ef5adf439c16e171da51f7287f44e032f29ec29b719c8a4c163a9d
+  metadata.gz: 3207380842882ae96d64db682b3f1016963a551aa9757f56c29daa0472a2e7856899f5e1a328409ed88fd6e233fb7f06ba6bb92ccdc58bd2ffa78d969f209a3c
+  data.tar.gz: db6d6deac66c00462f27cdb1e89c8a363a01338969489762f5d3d8b3803df66167b606ad78548bf95ebd6eb9eef22235e4d80e491993aacb93a97684ce12777a

data/README.md

@@ -37,7 +37,7 @@ $ rvm use ruby-3.2.2@pwn
 $ rvm list gemsets
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.4.886]:001 >>> PWN.help
+pwn[v0.4.888]:001 >>> PWN.help
 ```
 
 [![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
@@ -52,7 +52,7 @@ $ rvm use ruby-3.2.2@pwn
 $ gem uninstall --all --executables pwn
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.4.886]:001 >>> PWN.help
+pwn[v0.4.888]:001 >>> PWN.help
 ```
 
 

data/bin/pwn_shodan_graphql_introspection

@@ -0,0 +1,311 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'faker'
+require 'json'
+require 'optparse'
+require 'pwn'
+
+opts = {}
+OptionParser.new do |options|
+  options.on('-jFILE', '--json-results=FILE', 'Required - JSON results file from pwn_shodan_search driver') do |j|
+    opts[:json_results] = j
+  end
+end.parse!
+
+if opts.empty?
+  puts `#{$PROGRAM_NAME} --help`
+  exit 1
+end
+
+json_results_path = opts[:json_results]
+raise "ERROR: Shodan JSON Results File #{json_results_path} Does Not Exist." unless File.exist?(json_results_path)
+
+search_results = JSON.parse(
+  File.read(json_results_path),
+  symbolize_names: true
+)
+
+print 'Extracting URIs from Shodan search results...'
+uri_arr = PWN::Plugins::Shodan.get_uris(search_results: search_results)
+puts 'complete.'
+
+print "Extracting GraphQL URIs from #{uri_arr.count} URIs..."
+graphql_uris = uri_arr.uniq.select do |uri|
+  uri if uri =~ %r{.+/graphql/?$} ||
+         uri =~ %r{.+/graphiql/?$} ||
+         uri =~ %r{.+/playground/?$} ||
+         uri =~ %r{.+/console/?$} ||
+         uri =~ %r{.+/query/?$} ||
+         uri =~ %r{.+/gql/?$} ||
+         uri =~ %r{.+/index.php?graphql$}
+end
+puts 'complete.'
+
+browser_obj = PWN::Plugins::TransparentBrowser.open(browser_type: :rest)
+rest_client = browser_obj[:browser]::Request
+
+graphql_payloads_arr = []
+
+graphql_schema_payload = '{ "query": "{ __schema { types { name } } }" }'
+graphql_payloads_arr.push(graphql_schema_payload)
+
+graphql_introspection_payload1 = <<-END_OF_PAYLOAD
+  {
+    query IntrospectionQuery {
+      __schema {
+
+        queryType { name }
+        mutationType { name }
+        subscriptionType { name }
+        types { ...FullType }
+        directives {
+          name
+          description
+          locations
+          args { ...InputValue }
+        }
+      }
+    }
+
+    fragment FullType on __Type {
+      kind
+      name
+      description
+      fields(includeDeprecated: true) {
+        name
+        description
+        args { ...InputValue }
+        type { ...TypeRef }
+        isDeprecated
+        deprecationReason
+      }
+      inputFields {
+        ...InputValue
+      }
+      interfaces {
+        ...TypeRef
+      }
+      enumValues(includeDeprecated: true) {
+        name
+        description
+        isDeprecated
+        deprecationReason
+      }
+      possibleTypes {
+        ...TypeRef
+      }
+    }
+
+    fragment InputValue on __InputValue {
+      name
+      description
+      type { ...TypeRef }
+      defaultValue
+    }
+
+    fragment TypeRef on __Type {
+      kind
+      name
+      ofType {
+        kind
+        name
+        ofType {
+          kind
+          name
+          ofType {
+            kind
+            name
+            ofType {
+              kind
+              name
+              ofType {
+                kind
+                name
+                ofType {
+                  kind
+                  name
+                  ofType {
+                    kind
+                    name
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+END_OF_PAYLOAD
+graphql_payloads_arr.push(graphql_introspection_payload1)
+
+graphql_introspection_payload2 = <<-END_OF_PAYLOAD
+    {
+      "operationName":"IntrospectionQuery",
+      "variables":{},
+      "query":"
+        fragment FullType on __Type {
+          kind
+          name
+          description
+          fields(includeDeprecated: true) {
+            name
+            description
+            args { ...InputValue }
+            type { ...TypeRef }
+            isDeprecated    deprecationReason
+          }
+          inputFields { ...InputValue  }
+          interfaces { ...TypeRef  }
+          enumValues(includeDeprecated: true) {
+            name
+            description
+            isDeprecated
+            deprecationReason
+          }
+          possibleTypes { ...TypeRef }
+      }
+
+      fragment InputValue on __InputValue {
+        name
+        description
+        type { ...TypeRef }
+        defaultValue
+      }
+
+      fragment TypeRef on __Type {
+        kind
+        name
+        ofType {
+          kind
+          name
+          ofType {
+            kind
+            name
+            ofType {
+              kind
+              name
+              ofType {
+                kind
+                name
+                ofType {
+                  kind
+                  name
+                  ofType {
+                    kind
+                    name
+                    ofType {
+                      kind
+                      name
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+
+      query IntrospectionQuery {
+        __schema {
+          queryType { name }
+          mutationType { name }
+          types { ...FullType }
+          directives {
+            name
+            description
+            locations
+            args { ...InputValue }
+          }
+        }
+      }"
+    }
+END_OF_PAYLOAD
+graphql_payloads_arr.push(graphql_introspection_payload2)
+
+# Math Part
+graphql_uri_tot = graphql_uris.length
+payload_tot = graphql_payloads_arr.length
+request_tot = payload_tot * graphql_uri_tot
+
+puts "Sending #{payload_tot} payloads to #{graphql_uris.count} GraphQL URIs..."
+puts "Total HTTP Requests: #{request_tot}"
+
+user_agent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36'
+introspection_arr_of_hashes = []
+graphql_uris.each do |this_uri|
+  puts "IN PROGRESS: #{this_uri}..."
+  graphql_payloads_arr.each_with_index do |this_payload, payload_index|
+    # user_agent = Faker::Internet.user_agent
+    timestamp = Time.now.strftime('%Y-%m-%d_%H:%M:%S')
+    introspection_hash = {
+      time: timestamp,
+      uri: this_uri,
+      payload_index: payload_index,
+      response_code: nil,
+      response_headers: nil,
+      response: nil
+    }
+    resp = rest_client.execute(
+      method: :post,
+      url: this_uri,
+      headers: {
+        content_type: 'application/json; charset=UTF-8',
+        user_agent: user_agent
+      },
+      payload: this_payload,
+      verify_ssl: false,
+      timeout: 3.0,
+      max_redirects: 3
+    )
+    introspection_hash[:response_code] = resp.code
+    introspection_hash[:response_headers] = resp.headers
+    json_resp = JSON.parse(
+      resp.body,
+      symbolize_names: true
+    )
+
+    introspection_hash[:response] = json_resp
+  rescue Errno::ECONNREFUSED,
+         Errno::ENETUNREACH,
+         JSON::ParserError,
+         OpenSSL::SSL::SSLError,
+         SocketError => e
+
+    introspection_hash[:response_code] = "#{e.class}: #{e.message}"
+
+    next
+  rescue RestClient::ExceptionWithResponse => e
+    introspection_hash[:response_code] = "#{e.class}: #{e.message}" if e.response.nil?
+
+    if e.response
+      introspection_hash[:response_code] = e.response.code
+      introspection_hash[:response_headers] = e.response.headers
+      introspection_hash[:response] = e.response.body
+    end
+
+    next
+  ensure
+    introspection_arr_of_hashes.push(introspection_hash)
+  end
+end
+puts 'complete.'
+
+timestamp = Time.now.strftime('%Y-%m-%d_%H:%M:%S')
+print 'Saving Introspection Results...'
+File.write(
+  "graphql_results-#{timestamp}-ALL.json",
+  JSON.pretty_generate(introspection_arr_of_hashes)
+)
+
+vulnerable_uris = introspection_arr_of_hashes.select do |h|
+  h if (h[:response].is_a?(Hash) && h[:response].keys.first.to_sym == :data) ||
+       (h[:response].is_a?(Integer) && h[:response_code] == 415) ||
+       (h[:response].is_a?(Integer) && h[:response_code] >= 500)
+end
+File.write(
+  "graphql_results-#{timestamp}-VULNERABLE.json",
+  JSON.pretty_generate(vulnerable_uris)
+)
+puts 'complete.'

data/lib/pwn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PWN
-  VERSION = '0.4.886'
+  VERSION = '0.4.888'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pwn
 version: !ruby/object:Gem::Version
-  version: 0.4.886
+  version: 0.4.888
 platform: ruby
 authors:
 - 0day Inc.
@@ -1189,6 +1189,7 @@ executables:
 - pwn_serial_msr206
 - pwn_serial_qualcomm_commands
 - pwn_serial_son_micro_sm132_rfid
+- pwn_shodan_graphql_introspection
 - pwn_shodan_search
 - pwn_simple_http_server
 - pwn_web_cache_deception
@@ -1255,6 +1256,7 @@ files:
 - bin/pwn_serial_msr206
 - bin/pwn_serial_qualcomm_commands
 - bin/pwn_serial_son_micro_sm132_rfid
+- bin/pwn_shodan_graphql_introspection
 - bin/pwn_shodan_search
 - bin/pwn_simple_http_server
 - bin/pwn_web_cache_deception