MoBiC-20 Bonus: another Nucleus CAPTCHA bypass

22:56 20.11.2007

Continue our talk about last participant of the project - Nucleus captcha. Which is using at comment confirmation page. Vulnerable version is Nucleus 3.01 (and previous and possibly next versions).

This captcha in addition to half-automated method is also vulnerable for injected constant captcha bypass method. This Insufficient Anti-automation and SQL Injection holes I found 27.10.2007.

If in half-automated method for bypassing captcha you need to use new code and myid values for every post. Than in injected constant captcha bypass method you need to use constant values (which are injected via SQL Injection hole) for every post.

Put in parameter code value “1″ and put in parameter myid value which made captcha always be equal “1″:

<input type="hidden" name="code" value="1" />
<input type="hidden" name="myid" value="-1 union select 1,1,1 from nucleus_blog" />

Injected constant captcha bypass method - it is totally hardcore and extreme method 8-) . It’s design only for totally hardcore guys and gals. If you not feel yourself hardcore enough, don’t use it.

Insufficient Anti-automation:

Nucleus CAPTCHA bypass2.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only. Don’t use it for malicious purposes at any site on Nucleus.

This is disclosure of Insufficient Anti-automation hole (with SQL Injection in context of captcha bypassing). This SQL Injection I’ll disclose separately next time with another SQL Injection and others holes in Nucleus. Don’t use it for any things besides captcha bypassing and especially don’t use it for malicious purposes.

You need to setup exploit to test it (set site’s URL and others data).

Moral: always make more secure captchas and without SQL Injection holes.

Leave a Reply

You must be logged in to post a comment.