devadathanmb / ktu-bot

A telegram bot to view KTU exam results and notifications easily.
https://t.me/ktu_results_bot
GNU General Public License v3.0
48 stars 6 forks source link

Bot is not responsding #11

Open Adwaith-Rajesh opened 3 months ago

Adwaith-Rajesh commented 3 months ago

image

devadathanmb commented 3 months ago

There seems to be some very rare corner case which is not handled properly and the bot process exits with a error status code. Weirdly enough, the container doesn't restart despite --restart=always being set.

I've wrote a simple cron to restart terminated container as a hack for now and hopefully it works.

That said, this project is getting very hard to maintain at this point. They seem to be even doing some form of IP blacklisting, throwing 401 for any requests made from the bot/VPS to the API.

Changed the IP now and it works but not sure how long this could survive. Will need to bring in rotating proxies and all if this keeps on happening.

sulthanshanid commented 3 months ago

What about captcha bypass localserver you used .will bot work without it (if i hosted) i think you should include bypass code in this bot file instead of calling to another localhost server getting X-Token .i have provided a python code taken from reacted used for generting X-Token .i reccomend you modify getToken to do this task instaed of calling localhost bypassing server ----------------reacted----------

devadathanmb commented 3 months ago

@sulthanshanid It's using the exact same bypass you posted above. Just that I turned the script into a flask service because that felt simply easier.

I can make that flask script open source as well. But then more people are going to find about it, use it and eventually KTU will also figure it out and do something again to kill third party.

It's clear that they are not happy about the bot existing. And I don't have much time to work on this project now either.

sulthanshanid commented 3 months ago

@devadathanmb, I really appreciate your contribution to this project. I am very impressed by your quick fixes and features. As you mentioned, KTU is trying all methods to limit API usage. I think you should not disclose the bypass, and I will also remove the comment above. I believe you are not earning for your hard work. I suggest you use the donate button in every bot message or implement a forced channel join button for every /start (similar to the Films bot). You could then sell that channel and make money.

Adwaith-Rajesh commented 3 months ago

really wish KTU had an open API for its students to mess with.

should I close this issue?

AthulNoobie commented 3 weeks ago

@devadathanmb @sulthanshanid I need that Bypass script to obtain X-Token.

Currently I'm building a KTU website clone to prank my friends with fake results(check my profile for proof). So I need this API to display published results.

I created a flask app as a proxy instead of direct api requests from my web app(To avoid CORS restrictions).

Also I am planning to host this flask app in Vercel, which is a serverless environment for hosting apps. Vercel provides dynamically changing IP addresses in each HTTPS request. So they can't black list my proxy app.

So I need the X-Token header.

😃 I will not disclose the script anywhere. It will be in my proxy app's hosting platform. So no one gets it.

Did you decode it using the PyPasser library or something like that?

devadathanmb commented 3 weeks ago

@AthulNoobie I can share the Flask script with you, though I don't think it works anymore. KTU seems to have caught on and made some changes, so now the token generated by the exploit doesn’t match the actual token length.

I did some digging on one Sunday night and looked into their CAPTCHA generation script embedded in the frontend. I managed to bypass it by calling the token generation function directly from the browser console and then using that token in the header to get the results. The catch is that this approach needs a headless browser instance just to keep generating tokens.

It’s still very much bypassable with enough tricks, but right now I don’t have the compute resources or time to keep it running.

Also, I’ve noticed the CAPTCHA limit keeps getting maxed out almost every week, and the whole website just starts throwing 401 errors, lmao. KTU has really overcomplicated things. They seem to think adding hidden CAPTCHA will prevent reverse engineering, but as long as an API is exposed, it's always bypassable with the right workarounds.

As I mentioned, I don’t have much time to maintain this right now. If you think I can help further, DM me on Discord or drop me an email!

sulthanshanid commented 3 weeks ago

@devadathanmb you are correct .interestly i have also found another bypass .i have also made a bot using this method https://t.me/kturesultbot . i will explain what i did in a private conversation .emailme on shanidsulthan@gmail.com @AthulNoobie you can also if you need this

AthulNoobie commented 3 weeks ago

@sulthanshanid I sent a mail.

AthulNoobie commented 3 weeks ago

@devadathanmb Yeah I saw that script. I think there is a possibility to bypass it.

A POST request to this link with the site key will return the script:

https://api.ktu.edu.in/ktu-web-service/anon/get?key=v3

Response format:{"key":"6LdP8kkqAAAAAD-S1W6Ano7Xj28WUPZZwuqkyuIn","script":}

So I guess, then we can use that script to bypass X-Token automatically using codes. Is it possible?

devadathanmb commented 3 weeks ago

@devadathanmb Yeah I saw that script. I think there is a possibility to bypass it.

A POST request to this link with the site key will return the script:

https://api.ktu.edu.in/ktu-web-service/anon/get?key=v3

Response format:{"key":"6LdP8kkqAAAAAD-S1W6Ano7Xj28WUPZZwuqkyuIn","script":}

So I guess, then we can use that script to bypass X-Token automatically using codes. Is it possible?

That's the Google recaptcha script I believe. It requires a browser runtime to execute. I'm not even sure why this API call exists in the first place lmao. Looks like some really messy hack.

AthulNoobie commented 3 weeks ago

@devadathanmb @sulthanshanid Hello Hello Hello! KTU removed the X-Token header from their api.

Now I can access it without X-Token. Also the X-Token generator reCaptcha link disappeared from their site.

I don't know this is a permanent or temporary change. It may change tomorrow. So here is a screenshot 👇

The X-Token is blank here 👇

17306613608055010527482414236496

devadathanmb commented 3 weeks ago

@devadathanmb @sulthanshanid Hello Hello Hello! KTU removed the X-Token header from their api. Now I can access it without X-Token. Also the X-Token generator reCaptcha link disappeared from their site.

I don't know this is a permanent or temporary change. It maybe change tomorrow. So here is a screenshot 👇

17306613608055010527482414236496

Yeah, it's just a temporary change. They’ve been doing this for a while now—removing all the recaptcha stuff temporarily, then adding it back again. I’ve noticed this pattern for some time.

At first, I also thought they had removed it entirely, so, since it wasn’t much effort, I took out the recaptcha interceptor from the bot, thinking it would work on its own. But the next day, recaptcha calls were back on the website.

I have no idea why they're doing this. It seems like they keep rolling back and forth between versions with and without the recaptcha.

Like I mentioned above, they were maxing out on recaptcha tokens almost every week, which completely broke the website for several days. I assume it’s still happening and that’s why this whole getKey API call setup exists.

Honestly, it seems like they’re suffering from their own engineering. I still don’t get why they decided to add recaptcha to the APIs.

AthulNoobie commented 2 weeks ago

I thought their 12 months free trial of google cloud and captcha api expired lol.💀😂.

So I think storing it in my proxy server when it is available will be a nice approach, isn't it? Like this:

data=dict()
if response.status_code==200:
      data=response.get_json()

display_in_website(data)

So the data gets updated when the API is available, else it will return the previously stored data.

devadathanmb commented 2 weeks ago

I thought their 12 months free trial of google cloud and captcha api expired lol.💀😂.

So I think storing it in my proxy server when it is available will be a nice approach, isn't it? Like this:

data=dict()
if response.status_code==200:
      data=response.get_json()

display_in_website(data)

So the data gets updated when the API is available, else it will return the previously stored data.

Yes. You could do that. A better approach would be to run a cron to keep caching your data object.

There are free services available that allow you to make HTTP requests to services on a timely basis. Setup any of those.