Websecurity - Веб безпека

Continue our talk about last participant of the project - PHP-Nuke captcha. Which is using at User Registration form (and also at Login form). Like previous one I also found this hole at phpnuke.org. Vulnerable version is PHP-Nuke 8.1 (the latest) and all previous.

This captcha in addition to MustLive CAPTCHA bypass method is also vulnerable for null string bypass method. This Insufficient Anti-automation hole I found 21.10.2007.

If in MustLive CAPTCHA bypass method for bypassing captcha you need to use the same gfx_check and random_num values for every post. Than in null string bypass method you not need to use these parameters at all. Just send empty strings or not send them at all.

Null string bypass method - it is hardcore method . It’s design only for hardcore guys and gals. If you not feel yourself hardcore enough, don’t use it.

Insufficient Anti-automation:

PHP-Nuke CAPTCHA bypass3.html - bypassing captcha by another method and data confirmation page and finishing registration.

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only. Don’t use it for malicious purposes at any site on PHP-Nuke.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

Insufficient Anti-automation:

phpnuke.org CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such vulnerable captchas.

Next participant of the project is PHP-Nuke captcha. Which is using at User Registration form (and also at Login form). I found this hole at phpnuke.org (which is using last version of CMS). Vulnerable version is PHP-Nuke 8.1 (the latest) and all previous.

Like Google said there are up to 2660000 sites in Internet on this engine. And including all those sites which use PHP-Nuke, but have no “Powered by PHP-Nuke” sign, there are potentially more millions of sites which are in risk with this insecure captcha (with “powered by PHP-Nuke” query there are up to 3020000 sites).

This captcha is vulnerable for MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 21.10.2007.

For bypassing captcha you need to use the same gfx_check and random_num values many times (for every post).

Insufficient Anti-automation:

PHP-Nuke CAPTCHA bypass.html - bypassing captcha and transition to data confirmation page.

PHP-Nuke CAPTCHA bypass2.html - bypassing captcha and data confirmation page and finishing registration.

Guys not overdo with these Captcha bypass tests. These exploits for educational purposes only. Don’t use them for malicious purposes at any site on PHP-Nuke.

You need to setup exploits to test them (set site’s URL and others data).

Moral: never make such unreliable captchas.

P.S.

Also I prepared another vulnerability in PHP-Nuke captcha. So wait for today’s bonus post .

Next participant of the project is captcha at opennet.ru. Which is using at guestbook page of the site. This is news site with security related and others news.

This captcha is vulnerable for Advanced MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 04.09.2007.

Advanced method consist of main MustLive CAPTCHA bypass method and bypassing of anti CSRF protection (referer checking). For bypassing captcha you need to use the same ec and sc values many times (for every post). Note, that one captcha image works not long, so you need new image-code pairs periodically. For bypassing anti CSRF protection you need to spoof the referer.

Insufficient Anti-automation:

opennet.ru CAPTCHA bypass.txt

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.

Next participant of the project is logical Captcha. This is such type of protection where user asked to “check this box” to prove that he is not a bot. It’s popular and accessible type of captchas which are using at many sites. So there are a lot of sites which are in risk with such captchas.

First example is wait-till-i.com where logical captcha was used. This captcha is vulnerable to MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 25.10.2007.

For bypassing you need to use parameter “validemail” with value “d” for every post. This is classic MustLive CAPTCHA bypass method. Which easily bypass logical captchas.

Most interesting that after I informed admin of the site about hole in his captcha, and I was trying to inform all participants (sites with vulnerable captchas) of MoBiC project, he removed captcha from his site . This captcha decided to run away from me (it quit ahead of time). You can found this logical captcha in Yahoo’s cache (checkbox “Check this box if you are not a spammer”). Nevertheless the object was gained, lame captcha was hacked to death . So exploit is for demonstration only, because there is no captcha at all at the site. Now site’s owner need new and reliable captcha.

Insufficient Anti-automation:

wait-till-i.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

After first captcha I decided to find another logical one. Second example is shamanomaly.com with logical captcha. This captcha is vulnerable for two bypassing methods. These Insufficient Anti-automation holes I found 03.11.2007.

1. MustLive CAPTCHA bypass method.

For bypassing you need to use parameter “nonspammer” with value “1″ for every post.

2. JavaScript protection bypass method.

Checking is done with JavaScript, so if you turn off JS (which is common for bots) you can easily bypass it.

Insufficient Anti-automation:

shamanomaly.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such unreliable captchas.

Next participant of the project is mt-scode. It is captcha anti-spam plugin for Movable Type (with port for Drupal). This is popular plugin which is using at many sites. So there are many thousands of sites which are in risk with this plugin.

This captcha is vulnerable to MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 25.10.2007.

For bypassing you need to use the same code and scode values many times (for every post). This is classic MustLive CAPTCHA bypass method.

Insufficient Anti-automation:

mt-scode CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at blogs.nature.com which is using mt-scode.

Insufficient Anti-automation:

blogs.nature.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never make such vulnerable captchas.

Next participant of the project is captcha at itua.info. Which is using in subscribe form at every news page of the site.

This captcha is vulnerable for two methods of bypassing. These Insufficient Anti-automation holes I found 16.10.2007.

1. Code guessing bypass method.

Captcha has easy algorithm of images generation (constant). Code on image is less on 111 from t parameter’s value. So it’s easy for program to find out what is the code needed for current captcha.

2. MustLive CAPTCHA bypass method.

For bypassing you need to use the same skod and iskod values many times (for every post). This is my mine CAPTCHA bypass method. And use new email for every post.

Insufficient Anti-automation:

itua.info CAPTCHA bypass.html

This exploit for educational purposes only.

Moral: never make such unreliable captchas.

Next participant of the project is Google’s captcha. It is also star captcha and it’s also captcha of Google, like previous one.

This captcha is using at Add your URL to Google page and it’s hard one, like previous captcha. It’s also vulnerable for half-automated method (it is one of Advanced MustLive CAPTCHA bypass methods). This Insufficient Anti-automation hole I found 19.08.2007.

At this page you can add url without entering captcha code. So if it needed to spend time on captchas at this page. But this form also protected by token and Google can make captcha obligatory in the future. In any case for adding urls you need new token (id) every time. Which can be retrieved automatically. So adding urls can be done fully automated (using captcha token bypass method).

Insufficient Anti-automation:

Google CAPTCHA bypass.html

You can bypass captcha by using half-automated method and bypass anti CSRF protection by using new id every time (you can get it automatically by program like I showed before).

Insufficient Anti-automation:

Google CAPTCHA bypass2.html

While searching for vulnerable captchas, I also find vulnerabilities in them different from Insufficient Anti-automation. And I’ll write about such vulnerabilities (in various captchas). This time it’s redirector hole.

Redirector:

Redirector in Google’s captcha

For using redirector you need to use new id every time (to bypass anti CSRF protection). You can get new token automatically by program, so it’s easy to use this hole. I already wrote about redirectors in Goolge, this is new one. From one side, why use this protected redirector if there are many others open redirectors at Google. But it’s not so protected and can be used by bad guys, so better to fix this hole.

Moral: try to make more secure captchas and without redirectors.

Next participant of the project is Blogger’s captcha. It is captcha at popular blog service from Google, so it’s star captcha. All sites at Blogger service are in risk with this captcha.

This captcha is using at Post a Comment page and it’s hard one. I called such captchas hard-breakable (for bypassing methods, I’m not discussing OCR). But it’s still vulnerable for one of Advanced MustLive CAPTCHA bypass methods - in this case it is half-automated method. This Insufficient Anti-automation hole I found 19.08.2007.

In half-automated method you need to prepare captchas image-code pairs beforehand (because of one-time captcha images). Put them to text file for next use by program for automated data sending with captcha bypassing. So you need to use captchaKey and captchaAnswer parameters (made manually) to bypass captcha and use securityToken parameter to bypass anti CSRF protection (you can use the same value for several times and you can download new values automatically by program, similar to previous captcha). For bypassing you need to use new captchaKey and captchaAnswer for every post. It’s not fully automated, but it’s still half-automated bypass (without using OCR, only using vulnerabilities in captcha directly).

I found this hole at jeremiahgrossman.blogspot.com (but all sites at Blogger are in risk). This is site of Jeremiah Grossman. You certainly heard about him - he is well-known security guy. Security expert which is using insecure blog hosting (with vulnerable captcha).

Insufficient Anti-automation:

Blogger CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: try to make more secure captchas.

P.S.

Also I prepared info about another vulnerable Google’s captcha. So wait for today’s bonus post .

Next participant of the project is reCaptcha. It is popular captcha which used at many web sites.

As said at recaptcha.net, this captcha has plugins for many engines, such as: WordPress, MediaWiki, phpBB, Movable Type, Drupal, Symfony, Typo3, NucleusCMS, vBulletin, Joomla. This is popular external captcha service and there are many thousands of sites which are in risk with this captcha.

This captcha is vulnerable for one interesting methods of bypassing (I called it captcha token bypass method). This Insufficient Anti-automation hole I found 31.08.2007.

In captcha token bypass method you need to bypass tokens only, without answering at any captcha images. So you need to use only captcha_token parameter (and not use recaptcha_response_field parameter at all). For bypassing you need use new captcha token for every post.

I found this hole at www.keng.ws. As I tested at some others sites which use reCaptcha, they were not vulnerable to this hole. So it’s just incorrect implementation of captcha. But there still possible a lot of others sites with such holes (which not correctly setup reCaptcha).

Insufficient Anti-automation:

reCaptcha.txt

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never implement captchas incorrectly.

P.S.

This vulnerability concerns only reCaptcha plugin for Drupal.

Next participant of the project is Peter’s Custom Anti-Spam Image. It is captcha plugin for WordPress.

Statistics at wordpress.org said that this plugin was downloaded 4571 times. And taking into account that this plugin also can be downloaded from others sources, so total amount of downloads and sites which use this plugin is much more. So there are many thousands of sites which are in risk with this plugin.

This captcha is vulnerable for two methods of bypassing. These Insufficient Anti-automation holes I found 12.10.2007 (I found them already in August and in October I just wrote working exploit).

1. Constant values bypass method.

Captcha has only 10 values (constant): from antiselect=1 to antiselect=10. So it’s easy for program to find out what is the code needed for current captcha from parameter’s value.

2. MustLive CAPTCHA bypass method.

For bypassing you need to use the same securitycode and matchthis values many times (for every post). This is my mine CAPTCHA bypass method. It’s very effective bypass method.

Insufficient Anti-automation:

Peter’s Custom Anti-Spam Image CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at xato.net and this site is about security. The author also talk at his site about captchas’ security, but in the same time he is using vulnerable captcha. I already told him about this vulnerability.

Insufficient Anti-automation:

xato.net CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never make such unreliable captchas.