Building a Discord Bot for ChatOps , Pentesting or Server Automation (Part 4)
In this step by step tutorial we will create fully functional bot from scratch in which you can execute any command or cli program you like on your server or integrate with any API that you have access for example Jira. This is the part #4 of the series.
You can access the explanation of the discord setup in the Part #3 of this series here:
Prerequisites
- A discord client: web, desktop app or mobile app
- A discord server. You can create one inside your discord client of choice
- A discord bot configured and added to the server
- The bot token
- A code editor of your choice. If you don’t have one use Visual Studio Code
- Some programming knowledge
- Python 3 and the module pip installed in your machine
Part #4: Securing & sanitizing the commands
Validating the Guild
We want to add some degree of security to our bot. First we want it to only work in our guild (the server name) so we need to know the id of it
Steps:
- Go to Discord and in the left side, the one with the circles representing the servers
- Right click over you server
- Select “Copy ID”.
Edit the “.env” file that we created in the firsts parts and add the id to the constant “DISCORD_GUILD_ID”
Trending Bot Articles:
1. Chatbot Best Practices for designing a Conversational Experience
2. GUIDE: How to Create a (damn cool) Multi-Language Chatbot with Manychat
3. How to prevent chatbot attacks?
4. Adding a conversational interface to your app with Dialogflow
And for the code we will create a decorator named “is_in_guild” that handles the comparison between out constant and the one that is send from the server
In case of error we will receive this message indicating that the server in which the bot is executed is not the same as the one in our constant declared in the “.env” file
Validating the User
If we only want ourselves or some user to be able to interact with the bot in some commands we can create a new decorator that checks the user that sends the command to the bot
To identify our client identity in Discord we have to right click in our name in the right panel and click “Copy ID”
Let’s add this id to our “.env” file as a constant named “DISCORD_OWNER_ID”
Now in the code we create another decorator called “is_owner” that will compare the constant to the user that’s invoking the command
If the user that invoke the bot command is not the same as the one in the constant, then the bot will return an error and won’t execute the command
Sanitize
Whenever we run a command that is ansi colored the response will be something sometimes illegible. For example writing the command “!exec some_cli_app_that_outputs_ansi” in my case I use Sublist3r
For that reason we have to sanitize the output and get rid of those extra characters
Now the output will be cleaner if we execute the previous command again
Chaining commands
Chaining command is achieved by concatenating the output of one process to the input of the next one. For example in this case I want to imitate this command
I’m using aquatone, a tool for visual inspection of websites that scans sites and take screen shots of what it sees. The screen shots are saved in a directory where Nginx serves his files. The Nginx server is running on the same machine as the bot for easy access
Let’s write “!aquatone https://example.com”
Now the aquatone output will be available in the url “http://<server-ip>:<server-port>/aquatone/example.com/”
We are all set for this step. In the Part #5 we will deploy our bot in a cloud server.
Note:
If you encounter typos or something doesn’t work no more write me a comment and I will keep this guide updated. Last update June 24 2020.