Websecurity - Веб безпека

Next participant of the project is Anti Spam Image. It is captcha plugin for WordPress. Vulnerable version is Anti Spam Image 0.5 (and previous versions).

This is popular captcha plugin. So there are many sites which are in risk with this plugin. It is captcha which I’m using at my site (I like to find holes in captchas even in my own captcha). And I made new fixed version 0.6 of the plugin.

This captcha is vulnerable for session reusing with constant captcha bypass method (and hole occur at not last versions of PHP - before PHP 4.4.7). This Insufficient Anti-automation hole I found 21.10.2007.

In session reusing with constant captcha bypass method for bypassing you need to use the same securitycode value for every post (during current session). And after you’ll see first captcha image, you need to turn off images, so captcha will not be regenerating and you’ll be using the same code many times.

Insufficient Anti-automation:

Anti Spam Image CAPTCHA bypass.html

This exploit for educational purposes only. Don’t use it for malicious purposes.

You need to setup exploit to test it (set site’s URL and others data).

Moral: always check reliability of your captchas.

Next participant of the project is captcha at thepoorhouse.org.uk. Which is using in comments form at the site.

This is text logical captcha (it’s also ask math question like Math Comment Spam Protection plugin) and it is vulnerable for Content analysis CAPTCHA bypass method. This Insufficient Anti-automation hole I found 20.10.2007.

For bypassing captcha you need to use new captcha_response and captcha_token values for every post. Which can be achieved by using content analysis. This captcha use one-time tokens, so you need new token for every post and it can be retrieved similar to captcha token bypass method. But you also need to answer every time at new captcha, so only new token is not enough. It is one of the most reliable text logical captchas (which I found on current time), but it can be bypassed by content analysis.

In Content analysis CAPTCHA bypass method you retrieve new token and math question for every post. After that math question will be automatically analysed and result will be found. Then captcha answer and token will be used for bypassing. This method is similar to OCR in graphic captchas, but for text ones it’s more simple and effective.

Insufficient Anti-automation:

thepoorhouse.org.uk CAPTCHA bypass.txt

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: try to make better captchas.

Continue our talk about last participant of the project - Math Comment Spam Protection. It is captcha plugin for WordPress. Vulnerable version is Math Comment Spam Protection 2.1 (and previous versions).

This captcha in addition to Insufficient Anti-automation is also vulnerable for XSS (like Peter’s Random Anti-Spam Image captcha). These Cross-Site Scripting holes I found 22.11.2007.

There are two XSS holes and they are persistent XSS. Holes are at plugin options page (http://site/wp-admin/options-general.php? page=math-comment-spam-protection.php) in parameters mcsp_opt_msg_no_answer and mcsp_opt_msg_wrong_answer. For attacking you need to make CSRF + XSS attack (for both holes) - with CSRF you put XSS code into database (by admin). And then admin or any visitor of the site by posting comment with empty or incorrect captcha value, or you will trick him to do that, will be attacked.

XSS:

1. Attack on mcsp_opt_msg_no_answer value.

Math Comment Spam Protection CSRF.html

Math Comment Spam Protection XSS.html

2. Attack on mcsp_opt_msg_wrong_answer value.

Math Comment Spam Protection CSRF2.html

Math Comment Spam Protection XSS2.html

These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.

You need to setup exploits to test them (set site’s URL and others data).

Moral: always make more secure captchas and without XSS holes.

Next participant of the project is Math Comment Spam Protection. It is captcha plugin for WordPress. Vulnerable version is Math Comment Spam Protection 2.1 (and previous versions).

Statistics at wordpress.org said that this plugin was downloaded 1776 times. And taking into account that this plugin also can be downloaded from others sources, so total amount of downloads and sites which use this plugin is much more. So there are many thousands of sites which are in risk with this plugin.

This is text logical captcha and it is vulnerable for MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 21.10.2007 (at tehposse.org and yesterday I tested the plugin itself).

For bypassing captcha you need to use the same mcspvalue and mcspinfo values many times (for every post). This is classic MustLive CAPTCHA bypass method, which easily bypass text logical captchas.

Insufficient Anti-automation:

Math Comment Spam Protection CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at tehposse.org which is using Math Comment Spam Protection plugin (admin only changed form’s fields names from mcspvalue and mcspinfo to mscpvalue and mscpinfo).

Insufficient Anti-automation:

tehposse.org CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never make such unreliable captchas.

P.S.

Also I prepared another vulnerabilities in Math Comment Spam Protection. So wait for today’s bonus post .

Next participant of the project is captcha at peterhost.ru. Which is using in comments form in articles at the site.

This is text captcha and it is vulnerable for MustLive CAPTCHA bypass method. Most interesting that hole is in article about protection from DoS attacks. This Insufficient Anti-automation hole I found 24.10.2007.

For bypassing captcha you need to use the same id and Numba values many times (for every post). This is classic MustLive CAPTCHA bypass method, which easily bypass text captchas.

Insufficient Anti-automation:

peterhost.ru CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never make such insecure captchas.

Next participant of the project is AIP captcha. It is Auto-Input Protection (AIP) for ASP.NET. This captcha plugin is using at some amount of sites and all of them are in risk with this insecure captcha.

This captcha plugin is vulnerable for Advanced MustLive CAPTCHA bypass method. In current example plugin is using at contact me page. This Insufficient Anti-automation hole I found 30.10.2007.

In Advanced MustLive CAPTCHA bypass method you need to use the same ctl00$Main$aip$input value for every post. And because sites with AIP are using ASP.NET, you need also to bypass (bult-in) CSRF protection also. For this you can use the same __VIEWSTATE and __EVENTVALIDATION values.

Insufficient Anti-automation:

AIP CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at adamcooper.com which is using AIP captcha.

Insufficient Anti-automation:

adamcooper.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such unreliable captchas.

Continue our talk about last participant of the project - Nucleus captcha. Which is using at comment confirmation page. Vulnerable version is Nucleus 3.01 (and previous and possibly next versions).

This captcha in addition to half-automated method is also vulnerable for injected constant captcha bypass method. This Insufficient Anti-automation and SQL Injection holes I found 27.10.2007.

If in half-automated method for bypassing captcha you need to use new code and myid values for every post. Than in injected constant captcha bypass method you need to use constant values (which are injected via SQL Injection hole) for every post.

Put in parameter code value “1″ and put in parameter myid value which made captcha always be equal “1″:

<input type="hidden" name="code" value="1" />
<input type="hidden" name="myid" value="-1 union select 1,1,1 from nucleus_blog" />

Injected constant captcha bypass method - it is totally hardcore and extreme method . It’s design only for totally hardcore guys and gals. If you not feel yourself hardcore enough, don’t use it.

Insufficient Anti-automation:

Nucleus CAPTCHA bypass2.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only. Don’t use it for malicious purposes at any site on Nucleus.

This is disclosure of Insufficient Anti-automation hole (with SQL Injection in context of captcha bypassing). This SQL Injection I’ll disclose separately next time with another SQL Injection and others holes in Nucleus. Don’t use it for any things besides captcha bypassing and especially don’t use it for malicious purposes.

You need to setup exploit to test it (set site’s URL and others data).

Moral: always make more secure captchas and without SQL Injection holes.

Next participant of the project is Nucleus captcha. Which is using at comment confirmation page. Vulnerable version is Nucleus 3.01 (and previous and possibly next versions).

Like Google said there are up to 2170000 sites in Internet on this engine. And including all those sites which use Nucleus, but have no “Powered by Nucleus” sign, there are potentially more millions of sites which are in risk with this insecure captcha.

This captcha is vulnerable for half-automated method (I’ll wrote about another more rapid method in bonus post). It is one of Advanced MustLive CAPTCHA bypass methods. This Insufficient Anti-automation hole I found 16.08.2007.

In half-automated method you need to prepare captchas image-code pairs beforehand (because of one-time captcha images). For bypassing you need to use new code and myid values for every post. It’s not fully automated, but it’s still half-automated bypass (without using OCR, only using vulnerabilities in captcha directly). Those who don’t want to work by themselves, can use cheap work force to prepare image-code pairs or use OCR software (even for not real time recognition). Though this method allow personal captcha bypassing without additional resources (work force or OCR).

Insufficient Anti-automation:

Nucleus CAPTCHA bypass.html

This exploit for educational purposes only. Don’t use it for malicious purposes at any site on Nucleus.

You need to setup exploit to test it (set site’s URL and others data).

Moral: try to make more secure captchas.

P.S.

Also I prepared another vulnerability in Nucleus. So wait for today’s bonus post .

Next participant of the project is HBH-Fusion captcha. Which is using at registration page. This hole I found at www.hellboundhackers.org. It’s hackers site and it needs more reliable captcha.

This captcha is vulnerable for session reusing with constant captcha bypass method. This Insufficient Anti-automation hole I found 27.07.2007.

In session reusing with constant captcha bypass method for bypassing you need to use the same user_code value for every post (during current session). And after you’ll see first captcha image and set it in exploit, you need to not refresh page with captcha, so it will not be regenerating and you’ll be using the same code many times.

This hole is similar to MoBiC-18: PHP-Fusion CAPTCHA bypass, because HBH-Fusion is modification of PHP-Fusion. But in this case I made perl exploit. First I made html version of exploits, but when I retested the hole in October, I found that these guys added anti CSRF protection (which would not help them in this case). So in result I made perl version of exploit for bypassing captcha and anti CSRF protection.

Insufficient Anti-automation:

HBH-Fusion CAPTCHA bypass.txt

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.

Next participant of the project is PHP-Fusion captcha. Which is using at registration page.

Like Google said there are up to 1740000 sites in Internet on this engine. And including all those sites which use PHP-Fusion, but have no “Powered by PHP-Fusion” sign, there are potentially more millions of sites which are in risk with this insecure captcha (with “powered by PHP-Fusion” query there are up to 2340000 sites).

This captcha is vulnerable for session reusing with constant captcha bypass method. This Insufficient Anti-automation hole I found 20.10.2007.

In session reusing with constant captcha bypass method for bypassing you need to use the same user_code value for every post (during current session). And after you’ll see first captcha image and set it in exploit, you need to not refresh page with captcha, so it will not be regenerating and you’ll be using the same code many times.

Insufficient Anti-automation:

PHP-Fusion CAPTCHA bypass.html

This exploit for educational purposes only.

It’s html version, you can look at perl version of similar exploit. You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at bloglab.ru which is using PHP-Fusion.

Insufficient Anti-automation:

bloglab.ru CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such unreliable captchas.