$(eval) + $(query) allows code injection attempts, since variable names in the system are only received by temporary changes through some kind of quotes (', “, `). One of the possible protections against commands starting with ‘/’, ‘+’, ‘!’ or ‘.’ would be ‘replace,’ but it’s also useless in these cases, since the ‘query’ variable is converted before ‘replace’ is applied, allowing code manipulation during conversion. So, you might think, “Just type something before eval,” and this actually prevents bot or Twitch commands, which can only be used at the beginning of the sentence. But what about those that aren’t at the beginning?
For example, in the Brazilian community, there are many commands that begin with ‘+’ and ‘-’, such as ‘+b user,’ ‘-b user,’ ‘+k,’ ‘+p,’ ‘+s,’ ‘-s,’ and countless others for standard actions like ban, unban, timeout, purge, sub mode, suboff, etc. To avoid creating regex, most channels use them as “keywords” that can be found anywhere in a moderator’s sentence to activate them. This makes them usable in bots that usually require an exclamation mark before the command.
Example of problem:
!addcom !supposedly catJAM $(eval var word = “supposedly”; var phrase = “$(query)”.replace(/[^a-zA-Z0-9]/g, word); phrase;)
This command causes the word “supposedly” to insert each space or sentence symbol.
!supposedly I have a cat!
Nightbot: catJAM I supposedly have supposedly a supposedly cat supposedly
!supposedly +b twitch”; "I have a cat!
Nightbot: catJAM +b twitch
Twitch has been banned.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.