Graphicator - A GraphQL Enumeration And Extraction Tool
Graphicator is a GraphQL "scraper" / extractor. The tool iterates over the introspection document returned by the targeted GraphQL endpoint, and then re-structures the schema in an internal form so it can re-create the supported queries. When such queries are created is using them to send requests to the endpoint and saves the returned response to a file.
Erroneous responses are not saved. By default the tool caches the correct responses and also caches the errors, thus when re-running the tool it won't go into the same queries again.
Use it wisely and use it only for targets you have the permission to interact with.
We hope the tool to automate your own tests as a penetration tester and gives some push even to the ones that don't do GraphQLing test yet.
To learn how to perform assessments on GraphQL endpoints: https://cybervelia.com/?p=736&preview=true
Installation
Install on your system
python3 -m pip install -r requirements.txt
Using a container instead
docker run --rm -it -p8005:80 cybervelia/graphicator --target http://the-target:port/graphql --verbose
When the task is done it zips the results and such zip is provided via a webserver served on port 8005. To kill the container, provide CTRL+C. When the container is stopped the data are deleted too. Also you may change the host port according to your needs.
Usage
python3 graphicator.py [args...]
Setting up a target
The first step is to configure the target. To do that you have to provide either a --target
option or a file using --file
.
Setting a single target via arguments
python3 graphicator.py --target https://subdomain.domain:port/graphql
Setting multiple targets
python3 graphicator.py --target https://subdomain.domain:port/graphql --target https://target2.tld/graphql
Setting targets via a file
python3 graphicator.py --file file.txt
The file should contain one URL per line as such:
http://target1.tld/graphqlhttp://sub.target2.tld/graphqlhttp://subxyz.target3.tld:8080/graphql
Using a Proxy
You may connect the tool with any proxy.
Connect to the default burp settings (port 8080)
python3 graphicator.py --target target --default-burp-proxy
Connect to your own proxy
python3 graphicator.py --target target --use-proxy
Connect via Tor
python3 graphicator.py --target target --use-tor
Using Headers
python3 graphicator.py --target target --header "x-api-key:60b725f10c9c85c70d97880dfe8191b3"
Enable Verbose
python3 graphicator.py --target target --verbose
Enable Multi-threading
python3 graphicator.py --target target --multi
Disable warnings for insecure and self-signed certificates
python3 graphicator.py --target target --insecure
Avoid using cached results
python3 graphicator.py --target target --no-cache
Example
python3 graphicator.py --target http://localhost:8000/graphql --verbose --multi _____ __ _ __ / ___/____ ___ _ ___ / / (_)____ ___ _ / /_ ___ ____/ (_ // __// _ `// _ \ / _ \ / // __// _ `// __// _ \ / __/\___//_/ \_,_// .__//_//_//_/ \__/ \_,_/ \__/ \___//_/ /_/ By @fand0mas[-] Targets: 1[-] Headers: 'Content-Type', 'User-Agent'[-] Verbose[-] Using cache: True************************************************************ 0%| | 0/1 [00:00<?, ?it/s][*] Enumerating... http://localhost:8000/graphql[*] Retrieving... => query {getArticles { id,title,views } }[*] Retrieving... => query {getUsers { id,username,email,password,level } }100%|█████████████████████████████████████████████| 1/1 [00:00<00:00, 35.78it/s]
$ cat reqcache-queries/9652f1e7c02639d8f78d1c5263093072fb4fd06c.query query {getUsers { id,username,email,password,level } }
Output Structure
Three folders are created:
- reqcache: The response of each valid query is stored in JSON format
- reqcache-intro: All introspection queries are stored in a separate file in this directory
- reqcache-queries: All queries are stored in a separate file in this directory. The filename of each query will match with the corresponding filename in the reqcache directory that holds the query's response.
The filename is the hash which takes account the query and the url.
License & EULA
Copyright 2023 Cybervelia Ltd
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Maintainer
The tools has been created and maintained by (@fand0mas).
Contribution is also welcome.
Source: www.kitploit.com