Graphql文档解析工具,提供解析成前端/Postman可用的query语句(.gql)或者RESTFul可使用的(.json)文件能力
Project description
graphql_schema_parse
解析GraphQL文档,并提供将其转成**.gql**(前端查询可用得query字符串),.json(requests可用得json关键字参数接收数据)
GraphQL
GraphQL 既是一种用于 API 的查询语言也是一个满足你数据查询的运行时,详细内容点击标题访问官网 在实际工作种,最常用的是 query(查询), mutation(更改/新增), subscription
当发起一个GraphQL请求之后,通过抓包能够发现,最终和RESTFul发送请求没多大区别,它指定了JSON格式传参数,大致如下
{
"query": " query users {\n users{\n id\n username\n }\n \n }\n ",
"variables": {},
"operationName": "users"
}
{
"query": "mutation addUser($username: String!, $password: String!) {\n addUser(username: $username, password: $password) {\n id\n username\n }\n}\n",
"variables": {
"username": "gql",
"password": "gql1"
},
"operationName": "addUser"
}
{
"query": "mutation addUserInput($user: AddUserInput!) {\n addUserInput(user: $user) {\n id\n username\n }\n}\n",
"variables": {
"user": {
"username": "haha",
"password": "gg"
}
},
"operationName": "addUserInput"
}
- query: 其实就是生成的查询部分语句,前端传字段后端定义有返回
- variables: 使用query语句中的变量名
- operationName: 则是后端在实现时指定的接口名称(暂时这么理解吧)
这里用的Python语言,实际
_
会被转换成驼峰写法
GraphQL示例应用
提供的GraphQL示例应用源码地址:https://gitee.com/zy7y/starlette-example
源码使用
- 克隆
git clone https://gitee.com/zy7y/starlette-example
- 安装依赖
pip install -r requirements.txt
pip install strawberry-graphql[debug-server]
3. 启动
cd injection_service\graphql
strawberry server schema
通过url获取接口文档
# 转JSON
gql parse http://127.0.0.1:8000 目录地址
# 转GQL
gql parse http://127.0.0.1:8000 --to gql 目录地址
# 转sqlmap(-r HTTP请求信息.txt)
# 带json
gql parse http://127.0.0.1:8000 --headers .\examples\headers.json --to sqlmap .\examples\sqlmap(json)示例
# 不带json
gql parse http://127.0.0.1:8000 --to sqlmap .\examples\sqlmap示例
需要Token认证
// 新建headers.json 如下
{
"Authorization": "Bearer token"
}
gql parse http://127.0.0.1:8000 --headers headers.json 目录地址
使用graphql-schema-parse
安装
pip install graphql-schema-parse
通过SDL获取接口文档
- 前置条件
# 在执行启动服务相同目录下执行, 得到SDL
strawberry export-schema schema > schema.graphql
2. 通过graphql文件转换成gql sdl文件必须是utf-8编码,不是则自行修改
gql parse examples\schema.graphql --to gql 目录地址
测试
- gql文件(查询-query) 将生成的users.gql 文件内容复制到127.0.0.1:8000当中
- gql文件(突变-mutation) 将生成的addUser.gql 文件内容复制到127.0.0.1:8000当中
- json文件(查询-query)
将生成的users.json 文件内容赋值给
data
,使用requests包发送请求,代码如下
from requests import post
url = "http://127.0.0.1:8000/graphql"
data = {
"query": " query users {\n users{\n id\n username\n }\n \n }\n ",
"variables": {}, "operationName": "users"}
print(post(url, json=data).json())
4. json文件(突变-mutation)
将生成的addUsers.json 文件内容赋值给data
,使用requests包发送请求,代码如下
from requests import post
url = "http://127.0.0.1:8000/graphql"
data = {
"query": " mutation addUserInput ($user: AddUserInput!){\n addUserInput (user: $user){\n id\n username\n }\n \n }\n ",
"variables": {"user": {"username": "", "password": ""}}, "operationName": "addUserInput"}
print(post(url, json=data).json())
5. txt文件(sqlmap -r httpinfo.txt, 可用于sqlmap sql注入扫描) addUserInput.txt文件内容
POST /graphql HTTP/1.1
HOST: http://127.0.0.1:8000
Authorization: Bearer token
Content-Type: application/json
{"query": " mutation addUserInput ($user: AddUserInput!){\n addUserInput (user: $user){\n id\n username\n }\n \n }\n ", "variables": {"user": {"username": "*", "password": "*"}}, "operationName": "addUserInput"}
# 安装sqlmap
pip install sqlmap
# 进行SQL注入扫描, sqlmap详细用法前往sqlmap官网学习
sqlmap -r addUserInput.txt --level 5 --risk 3
扫描过程中 扫描结果(获取到了我的数据库为SQLlite)
参数详情
gql parse --help
output:
Usage: cli.py parse [OPTIONS] FROM_PATH TO_DIRECTORY
将Graphql接口文档转成gql文件/Json文件 :param from_path: 接口文档地址, 本地JSON文件地址(.json) 或者 本地
SDL文件(.schema ), 或者 服务器URL填入(服务器的IP:PORT) :param to: 转换之后的文件类型, 可选
TO_DIRECTORY 生成文件保存目录,不存在时,自动创建 [required]
Options:
--headers TEXT url方式获取接口文档时,可选项传入请求头json文件地址
--to [json|gql] [default: ToType.to_json]
--depth INTEGER query语句体中可用查询字段递归深度 [default: 1]
--help Show this message and exit.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file graphql-schema-parse-0.2.0.tar.gz
.
File metadata
- Download URL: graphql-schema-parse-0.2.0.tar.gz
- Upload date:
- Size: 10.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.12 CPython/3.9.6 Windows/10
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5f46b01f8b714786fa8d79366832bb4f8dc726096ae984fbcf81100dc2f5b0e4 |
|
MD5 | 21e56905564f49f0e64c9fb94884ba0d |
|
BLAKE2b-256 | 3305f26b12b528b64ffa7521cbc5dc52fde6a152f7581b010a1071812ffcbee9 |
File details
Details for the file graphql_schema_parse-0.2.0-py3-none-any.whl
.
File metadata
- Download URL: graphql_schema_parse-0.2.0-py3-none-any.whl
- Upload date:
- Size: 11.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.12 CPython/3.9.6 Windows/10
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | b78fe007e574f9d256ac15d502ef51e959be899c93155069bcd5ea1fbca3a849 |
|
MD5 | 5230d576b17e201b98868edaf260c49e |
|
BLAKE2b-256 | b3ca214dfbb940c1d89a27bcfe81c4b77c1ad2fe82c19d8290ff4104e0d4cb83 |