banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Common vulnerabilities in the verification code module

CAPTCHA Bypass#

CAPTCHA is mainly used for login verification in login forms to prevent brute force attacks. If the CAPTCHA module is not properly configured, such as client-side validation or non-expiring server-side CAPTCHA, the CAPTCHA becomes ineffective.

There are generally the following types of CAPTCHAs:

  • Image CAPTCHA
  • SMS CAPTCHA
  • Email CAPTCHA
  • Slide CAPTCHA
  • Voice CAPTCHA

SMS CAPTCHA#

CAPTCHA Brute Force#

Most SMS CAPTCHAs are 6-digit codes, which are not easy to crack. However, if a 4-digit code is used and the expiration time and number of sending attempts are not limited, it can be attempted to crack the code.

A 4-digit code only needs to be cracked 10,000 times, which is relatively small, in the range of 0000 to 9999.

Case 1: Arbitrary User Registration

The attacker fills in any mobile phone number for registration, and the server sends a SMS CAPTCHA to the phone number filled in by the attacker. In this case, the CAPTCHA is a 4-digit code with a range of 0000 to 9999. The attacker cracks the CAPTCHA and automatically registers an account.

image

The success of the cracking can be determined by the returned data packet.

image

As shown in the above figure, the correct CAPTCHA has a response size of 49.

Fix Suggestions:

To prevent CAPTCHA brute force attacks, the following reinforcement measures are recommended:

(1) Set an expiration time for the CAPTCHA, recommended to be 180 seconds;
(2) Limit the number of failed attempts for the CAPTCHA within a certain period of time, such as locking the account for 15 minutes if there are 5 consecutive failures within 5 minutes.

CAPTCHA Bypass Testing#

Vulnerability Principle:

In some cases, by modifying the data returned by the server after the front-end submits the data (e.g., res_code and other fields), it is possible to bypass the CAPTCHA and execute our requests.

Testing Process:

The attacker enters the registration page, enters any mobile phone number, obtains the CAPTCHA, fills in any CAPTCHA on the registration page, submits the request, captures the packet, uses a packet capture tool to view and modify the returned packet information, forwards the returned packet, and checks whether the registration is successful.

image

Modify the response packet

image

Fix Suggestions:

To address this vulnerability, it is recommended to add a CAPTCHA authentication mechanism on the server side to perform secondary verification on the CAPTCHA submitted by the client.

Reuse of CAPTCHA#

Vulnerability Principle:

On a website's login or comment page, if the CAPTCHA authentication does not clear the session in a timely manner after successful authentication, the CAPTCHA can be reused after the first successful authentication. During testing, capturing the data packet with the CAPTCHA and repeatedly submitting it can determine whether the submission is successful.

Testing Process:

The attacker follows the normal process to register an account, enters the CAPTCHA on the page, captures the submitted data packet, modifies the username field in the data packet, and then repeatedly submits it to see if multiple accounts can be successfully registered.

Fix Suggestions:

To address the issue of CAPTCHA authentication, it is recommended to clear the authenticated session after a successful authentication, effectively preventing the reuse of the CAPTCHA after a single authentication.

CAPTCHA GET Transmission Leakage#

As can be seen, the CAPTCHA is in the GET packet, and the CAPTCHA can be directly obtained. In this way, even if a valid mobile phone number is not required, the CAPTCHA can still be entered.

image

SMS Bombing#

Vulnerability Principle:

In the SMS sending module, if the number of SMS sending attempts is not limited, it can lead to unlimited sending of SMS CAPTCHAs.

Testing Process:

The attacker fills in the mobile phone number in the SMS sending field, clicks to send the CAPTCHA, captures the packet, and repeatedly sends packets to test whether multiple SMS CAPTCHAs can be received within 1 second. If multiple CAPTCHAs can be received, it indicates the existence of an SMS bombing vulnerability.

Some bypass methods:

  1. Bypass using spaces
  2. Bypass by modifying cookie values
  3. Bypass by IP
  4. Bypass by modifying return values
  5. Bypass by sending SMS from different accounts

image

image

Image CAPTCHA#

CAPTCHA Bypass (on client)#

JavaScript front-end validation

image

Disable JavaScript

Browser F12-Settings-Disable JavaScript

image

image

Go to the login box

image

Capture with Burp

image

Successful brute force with Intruder

image

CAPTCHA Bypass (on server)#

image

image

The same CAPTCHA can be used multiple times without expiration, and can be cracked to successfully log in

image

Automatic Recognition Testing of Image CAPTCHA#

Download captcha-killer-modified#

captcha-killer的修改版,支持关键词识别base64编码的图片,添加免费ocr库,用于验证码爆破,适配新版Burpsuite

Download the jar file at Releases

image

Load this jar file in Burp Suite

Then download the captcha-killer-modified source code repository, which requires the codereg.py file, which is used to start the CAPTCHA recognition module and requires the installation of the ddddocr library.

image

git clone https://github.com/f0ng/captcha-killer-modified.git

Install the ddddocr library#

Repository address: https://github.com/sml2h3/ddddocr

Note: My environment is Mac M1 Pro

# Install onnxruntime with brew
brew install onnxruntime
pip3 install ddddocr # Python 3.9 installation will cause an error when running codereg.py

Install aiohttp with Python 3.10

pip310 install aiohttp -i http://pypi.doubanio.com/simple/ --trusted-host pypi.doubanio.com

Run python310 codereg.py

Error: TypeError: The port is required to be int.

Solution to the error:

Change default="8888" in the script to default=8888 and run it again

Run python310 codereg.py again, it works fine

image

Practical Case 1#

The target is the Pikachu target

  1. Burp requests the CAPTCHA URL

image

Request the CAPTCHA URL, click to get it, and you can get the CAPTCHA on the right side

image

The left side of the above image can capture a packet of the login box first, and then modify the URL in the post to the URL of the CAPTCHA. The right side of the image is sent to the captcha-killer-modified plugin.

image

Other cases, extract keywords

image

  1. Set the ddddocr API URL

Set the request template, Request template

POST /reg HTTP/1.1
Host: 127.0.0.1:8888
Authorization:Basic f0ngauth
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 8332

<@BASE64><@IMG_RAW></@IMG_RAW></@BASE64>

Set the interface address to: http://127.0.0.1:8888, the service started by codereg.py

Set as follows:

image

The content of the captcha-killer-modified panel at this time is as follows, accurately recognizing the CAPTCHA

image

  1. Start Intruder Brute Force
  • Set the attack type to pitchfork
  • Brute force the password field and the vcode CAPTCHA field

image

Set the payload for the password field

image

Set the payload for the CAPTCHA

image

Final recognition rate, the CAPTCHA used in the target is relatively complex.

image

Output of codereg.py

image

References#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.