banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Common vulnerabilities in the verification code module

CAPTCHA Bypass#

CAPTCHA is mainly used for login verification in login forms to prevent brute force attacks. If the CAPTCHA module is not properly configured, such as client-side validation or non-expiring server-side CAPTCHA, the CAPTCHA becomes ineffective.

There are generally the following types of CAPTCHAs:

  • Image CAPTCHA
  • SMS CAPTCHA
  • Email CAPTCHA
  • Slide CAPTCHA
  • Voice CAPTCHA

SMS CAPTCHA#

CAPTCHA Brute Force#

Most SMS CAPTCHAs are 6-digit codes, which are not easy to crack. However, if a 4-digit code is used and the expiration time and number of sending attempts are not limited, it can be attempted to crack.

A 4-digit code only needs to be cracked 10,000 times, which is relatively small, in the range of 0000 to 9999.

Case 1: Arbitrary User Registration

The attacker fills in any mobile phone number for registration. The server sends a SMS CAPTCHA to the mobile phone number provided by the attacker. In this case, the CAPTCHA is a 4-digit code, and the range of the CAPTCHA is set to 0000 to 9999. The CAPTCHA is cracked, and an account is automatically registered.

image

The success of the cracking can be determined by the returned data packet.

image

As shown in the above figure, the correct CAPTCHA can be determined by the length of the returned value, which is 49.

Fix Suggestions:

To prevent CAPTCHA brute force testing, it is recommended to implement the following reinforcement measures:

(1) Set the expiration time of the CAPTCHA to 180 seconds;
(2) Limit the number of failed attempts of the CAPTCHA within a certain period of time, such as locking the account for 15 minutes if there are 5 consecutive failures within 5 minutes.

CAPTCHA Bypass Testing#

Vulnerability Principle:

In some cases, by modifying the data returned by the server after submitting the front-end, it is possible to bypass the CAPTCHA and execute our own requests.

Testing Process:

The attacker enters the registration account page, enters any mobile phone number, obtains the CAPTCHA, fills in any CAPTCHA on the registration account page, submits the request, captures the packet, uses a packet capture tool to view and modify the returned packet information, forwards the returned data packet, and checks whether the registration is successful.

image

Modify the response packet

image

Fix Suggestions:

To address this vulnerability, it is recommended to add a CAPTCHA authentication mechanism on the server side to perform secondary verification on the CAPTCHA submitted by the client.

Reuse of CAPTCHA#

Vulnerability Principle:

On the login or comment pages of a website, if the CAPTCHA authentication is successful and the session is not cleared in a timely manner, the CAPTCHA can be reused after the first successful authentication. During testing, capturing the data packet with the CAPTCHA and repeatedly submitting it can determine whether the submission is successful.

Testing Process:

The attacker registers an account through the normal process, enters the CAPTCHA on the page, captures the submitted data packet, modifies the username field in the data packet, and then repeatedly submits it to see if multiple accounts can be successfully registered.

Fix Suggestions:

To address the issue of CAPTCHA authentication attempts, it is recommended to clear the session of the successful authentication after the CAPTCHA is authenticated once. This effectively prevents the problem of repeated use of the CAPTCHA after a single authentication.

CAPTCHA GET Transmission Leakage#

As can be seen, the CAPTCHA is in the GET packet, and the CAPTCHA can be directly obtained. In this way, even if a valid mobile phone number is not required, the CAPTCHA can still be entered.

image

SMS Bombing#

Vulnerability Principle:

In the SMS sending module, if the number of SMS sending attempts is not limited, it can lead to unlimited sending of SMS CAPTCHAs.

Testing Process:

The attacker fills in the mobile phone number in the SMS sending field, clicks to send the CAPTCHA, captures the packet, and repeatedly sends the packet to see if multiple SMS CAPTCHAs can be received within 1 second. If multiple CAPTCHAs can be received, it indicates the existence of an SMS bombing vulnerability.

Some bypass methods:

  1. Bypass using spaces
  2. Bypass by modifying cookie values
  3. Bypass by IP
  4. Bypass by modifying return values
  5. Bypass by sending SMS with different accounts

image

image

Image CAPTCHA#

CAPTCHA Bypass (on client)#

JavaScript front-end validation

image

Disable JavaScript

Browser F12-Settings-Disable JavaScript

image

image

Go to the login box

image

Capture with Burp

image

Successful brute force with Intruder

image

CAPTCHA Bypass (on server)#

image

image

The same CAPTCHA can be used multiple times without expiration, and it can be brute-forced to successfully log in.

image

Automatic Recognition Testing of Image CAPTCHA#

Download captcha-killer-modified#

Github Repo not found

The embedded github repo could not be found…

Download the JAR file at Releases

image

Load this JAR file in Burp Suite

Then download the captcha-killer-modified source code repository, which requires the codereg.py file, which is used to start the CAPTCHA recognition module and requires the installation of the ddddocr library.

image

git clone https://github.com/f0ng/captcha-killer-modified.git

Install the ddddocr Library#

Repository address: https://github.com/sml2h3/ddddocr

Note: My environment is Mac M1 Pro

# Install onnxruntime with brew
brew install onnxruntime
pip3 install ddddocr # Error occurs when installing and running codereg.py with Python 3.9

Install aiohttp with Python 3.10

pip310 install aiohttp -i http://pypi.doubanio.com/simple/ --trusted-host pypi.doubanio.com

Run python310 codereg.py

Error: TypeError: The port is required to be int.

Solution to the error:

Change default="8888" in the script to default=8888 and run it again

Run python310 codereg.py again, it works fine

image

Practical Case 1#

The target is the Pikachu target

  1. Burp requests the CAPTCHA URL

image

Request the CAPTCHA URL, click to get it, and you can get the CAPTCHA on the right side

image

The left side of the above figure can capture a packet of the login box first, and then modify the URL in the POST to the URL of the CAPTCHA. The right side of the figure is sent to the captcha-killer-modified plugin.

image

Other cases, extract keywords

image

  1. Set the ddddocr API URL

Set the request template, Request template

POST /reg HTTP/1.1
Host: 127.0.0.1:8888
Authorization:Basic f0ngauth
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 8332

<@BASE64><@IMG_RAW></@IMG_RAW></@BASE64>

Set the interface address to: http://127.0.0.1:8888, the service started by codereg.py

Set as follows:

image

The content of the captcha-killer-modified panel at this time is as follows, accurately recognizing the CAPTCHA

image

  1. Start Intruder Brute Force
  • Set the attack type to pitchfork
  • Brute force the password field and the vcode CAPTCHA field

image

Set the payload for the password field

image

Set the payload for the CAPTCHA

image

Final recognition rate, the CAPTCHA used in the target is relatively complex.

image

Output of codereg.py

image

References#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.