Share
## https://sploitus.com/exploit?id=66A1BB6F-647E-5C42-B6F1-C2E8C04FB26C
# new-api Quota Overflow Tool

The new-api tool is designed for detecting and exploiting the quota overflow vulnerability. If you find that your site can exploit this vulnerability, please update NewAPI to the latest version immediately.

## Vulnerability Mechanism

By passing excessively large parameters like `max_completion_tokens`, `n`, and `duration`, the quota calculation `int(float64(tokens) * ratio)` may overflow to a negative value during int64 addition or int32 writing operations. This leads to:

- **Bypass pre-withdrawal checks**: After integer rounding, the pre-withdrawal amount becomes negative or zero, and the checks are skipped.
- **Balance increase**: When the pre-withdrawal amount is negative, the withdrawal becomes a credit.

Affected versions: NewAPI deployments that do not apply the β€œQuotaFromFloat” patch.

## File Description

| File | Purpose |
|----|----------|
| `main.py` | Interactive entry point, where you select the mode and input parameters |
| `detect.py` | Detection mode β€” determines whether the target has a vulnerability; no actual exploitation is performed |
| `exploit.py` | Exploitation mode β€” actually exploits the vulnerability (bypasses pre-withdrawal/balance increase checks) |

## Quick Start

```bash
python main.py
```

Interactive prompt to select the mode and input parameters:

```bash
═══════════════════════════════════════════════
       new-api Quota Overflow Tool
═══════════════════════════════════════════════

   1. Detection mode β€” determines whether the target has a vulnerability
   2. Exploitation mode β€” actually exploits the vulnerability (bypasses pre-withdrawal/balance increase checks)
    0. Exit

    Please select mode [0-2]:
```

## Direct Command Usage

**Detection Mode:**

```bash
python detect.py   [model]
```

**Exploitation Mode:**

```bash
python exploit.py   [model] [rounds]
```

| Parameter | Description | Default Value |
|------------|-----------------|------------------|
| `base_url` | Target URL, e.g., `https://eirouter.com` | β€” |
| `api_key` | API Key | β€” |
| `model` | Model name | `gpt-5.4` |
| `rounds` | Number of repeated attempts (only for exploit) | `1` |

Example:

```bash
python detect.py https://eirouter.com sk-xxxxx gpt-5.4
python exploit.py https://eirouter.com sk-xxxxx gpt-5.4 5
```

## Detection Output Explanation

| Status | Meaning |
|-------|----------|
| βœ… SAFE | The issue has been fixed; the pre-withdrawal amount is always positive |
| ❌ VULN | There is a vulnerability; the pre-withdrawal amount is negative or bypassed |
| ⚠️ WEAK | Some paths are abnormal; it may be exploited |
| πŸ”’ BLOCKED | Parameter validation is blocked; this path is unavailable |

## Fixing Recommendations

Apply the β€œQuotaFromFloat” patch to ensure that the pre-withdrawal amount is never negative. Also, reject excessively large `token` parameters.

## Declaration

This project is intended only for security research and authorized testing purposes. Testing other systems without authorization is illegal.

## Author

Original author: [bzym2](https://github.com/bzym2)