Improve the atack generation of graphql queries and mutations

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
 default_language_version:
- python: python3.10
+ python: python3
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
  rev: v3.2.0

README.md

@@ -131,7 +131,7 @@ After building InQL as described above, you can prepare your development environ
 Begin by setting up a virtual environment with Python 2.7 for Jython compatibility. Note that necessary headers are required to build libraries with pip. For instance, using virtualenv:
 
 ```bash
-$ sudo apt install -y python2.7 python2.7-dev python2-setuptools-whl python2-pip-whl python3-virtualenv
+$ sudo apt install -y python2.7 python2.7-dev python2-setuptools-whl python2-pip-whl python3-virtualenv libssl-dev
 $ virtualenv -p python2.7 ./venv/
 ```
 

python/inql/attacker/request.py

@@ -30,32 +30,40 @@ class InitiateAttack(ActionListener):
  def __init__(self, editor):
  self.editor = editor
 
+ def stripComments(self, code):
+ code = str(code)
+ return re.sub(r'(?m) *#.*\n?', '', code)
+
  def generate_attack_request(self):
  info = helpers.analyzeRequest(self.editor.request)
  headers = info.getHeaders()
  raw = helpers.bytesToString(self.editor.request[info.getBodyOffset():])
- body = str(raw).replace('\\r', '').replace('\\n', ' ').replace('\\t', '')
+ body = str(raw)
  parsed = json.loads(body)
  if isinstance(parsed, list):
  parsed = parsed[0]
  query = parsed['query']
 
- prefix, suffix = "", ""
+ actionMatch = re.search('([^{]*?){(.+)}([^}]*?)', query, re.DOTALL)
+ action, query, tmp = actionMatch.groups()
+ query = self.stripComments(query)
+ query = re.sub(r'\n|\r|\t', '', query)
+ prefix, suffix, exploit = "", "", ""
  while True:
  # FIXME: whitespace inbetween will break the regex!
 
  # look until first {
- match = re.match('([^{]*?){(.+)}([^}]*?)', query)
+ match = re.search('([^{]*?){(.+)}([^}]*?)', query, re.DOTALL)
  if not match:
  break
  pfx, query, sfx = match.groups()
 
  # look for a placeholder
  match = (
  # $[INT:first:last]
- re.match(r'(.*?)\$\[(INT):(\d+:\d+)\](.*)', pfx) or
+ re.search(r'(.*?)\$\[(INT):(\d+:\d+)\](.*)', pfx, re.DOTALL) or
  # $[FILE:path] and $[FILE:path:first:last]
- re.match(r'(.*?)\$\[(FILE):([^:]+(?::\d+:\d+)?)\](.*)', pfx)
+ re.search(r'(.*?)\$\[(FILE):([^:]+(?::\d+:\d+)?)\](.*)', pfx, re.DOTALL)
  )
  if not match:
  prefix = prefix + pfx + '{'
@@ -72,7 +80,7 @@ def generate_attack_request(self):
  # $[INT:first:last]
  start, end = args
  for n, item in enumerate(range(int(start), int(end)+1)):
- exploit += 'op%s: %s%s%s{%s}%s' % (n+1, lead, item, rest, query, sfx)
+ exploit +='op%s: %s%s%s%s{%s}%s' % (n+1, prefix, lead, item, rest, query, suffix)
  if verb == 'FILE':
  # $[FILE:path] and $[FILE:path:first:last]
  path = args[0]
@@ -84,10 +92,10 @@ def generate_attack_request(self):
  start, end = 1, len(items)
 
  for n, item in enumerate(items[start-1: end]):
- exploit += 'op%s: %s%s%s{%s}%s' % (n+1, lead, item, rest, query, sfx)
+ exploit +='op%s: %s%s%s%s{%s}%s' % (n+1, prefix, lead, item, rest, query, suffix)
 
  #build the query
- attack = prefix + exploit + suffix
+ attack = action + "{" + exploit + "}"
 
  log.debug("attack query: %s" % attack)
  body = json.dumps({'query': attack})