Telegram Bot with Injection Vulnerability#
This project demonstrates a simple Telegram bot implemented in Python using the python-telegram-bot library. The bot includes a vulnerability in the echo function, which evaluates any received text input, potentially leading to code injection attacks.
Running the Project#
Follow these steps to run the project locally:
Clone the repository:
git clone https://github.com/fguisso/python-injectionInstall the necessary dependencies:
pip install python-telegram-botObtain a Telegram Bot Token:
- Start a conversation with BotFather on Telegram. You can find it by searching for “@BotFather” in the Telegram search bar or clicking here.
- Send the
/newbotcommand to start the process of creating a new bot. - Follow the instructions to choose a name and username for your bot.
- After creating the bot, BotFather will provide a token. Copy this token.
Set the Bot Token as an Environment Variable:
export TOKEN_TELEGRAM="your_bot_token_here"Run the Python script:
python main.pyInteract with the bot on Telegram.
Bot Functionality#
The bot is configured to receive messages containing mathematical operations as input. These operations are solved in the echo command, which returns the result of the operation as a response.
For example, when sending the message 2 + 2 to the bot, it will return 4. This can be useful for performing simple calculations directly on Telegram.
Explanation of the Vulnerability#
Injection vulnerabilities are among the main concerns in web application security. According to the OWASP Top 10, code injection (such as SQL injection, XSS, Command Injection, and others) is one of the main threats to application security.
In the context of this bot, the injection vulnerability occurs in the echo function, which uses the eval function to evaluate any received text input. This allows potential attackers to execute arbitrary code by sending malicious input. Exploits are malicious codes used to attack systems, and in this scenario, here are some examples of exploits you can send to your bot that will be executed on the machine where your bot is running:
| Message to the bot | Exploit result |
|---|---|
os.getenv("TOKEN_TELEGRAM") | Access to environment variables |
os.system("rm -rf /") | Execution of operating system commands, in this case, rm will delete all system files. |
import malicious_module | Importing malicious modules |
__import__("malicious_module").malicious_function() | Execution of malicious code. |
Users are encouraged to test these exploits on their own bot and observe the results. However, be careful when using exploits, as they can cause damage to the system.