'SPARQL local files include (LFI) & remote command execution (RCE)
I am pentesting an application using GraphDB and I found a lot of injections in SPARQL requests. There is very little information about SPARQL injections and I don't really know this DB language. Does anyone know if it is possible to include files or execute commands in SPARQL (like one would do with SQL)?
Thank you.
Solution 1:[1]
SPARQL Query and SPARQL Update are different languages.
A SPARQL Update is invalid as SPARQL Query syntax.
The kind of operation (query or update) is clear from either the endpoint URL called or the HTTP request content-type.
In the W3C Standard SPARQL, there are no "call out" execution operator.
SPARQL does allow extensions function - that's implementation dependent. They should be functions (no side effects) but of course it depends on the implementation.
A SPARQL Query implementation may read external data with FROM/FROM NAMED. Most implementations don't; they take the graphs from the local dataset.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | AndyS |