wordpress Captcha plugin Bypassed

اسال شده در (آخرین بروزرسانی : ) توسط مدیریت
1 امتیاز2 امتیاز3 امتیاز4 امتیاز5 امتیاز
Loading...

Captcha Bypassed!(false report)

Plugin url : https://wordpress.org/plugins/captcha/
Downloads: 2,402,502
——-

+What’s the story?

In the last weeks i see some brute force attacks over my user sites,
This attacks was wide almost, because many of my user sites were under that attack.
Attacker try to login with ‘admin’ user and passwords that are different (password list), here is some sample:

IP Address: 78.6.91.162
User authentication failed: admin
User wrong password: marcin
-------
IP Address: 93.61.84.210
User authentication failed: admin
User wrong password: marcin
-------
IP Address: 78.4.5.10
User authentication failed: admin
User wrong password: leonardo
-------
IP Address: 78.4.90.78
User authentication failed: admin
User wrong password: looking
-------
IP Address: 93.61.33.229
User authentication failed: admin
User wrong password: looking

I’m using wordpress Captcha plugin (4.0.8), unfortunately this nice plugin provide a simple function to decode captcha result

+Let me break it down with example!

When you want to login in your site this plugin generate some hidden inputs:

<input type="hidden" value="Vd/o" name="cptch_result">
<input type="hidden" value="1420695173" name="cptch_time">
<input type="hidden" value="Version: 4.0.8">

We must enter correct result in the below input:

<input type="text" name="cptch_number"  id="cptch_input">

on other hand , when we fill it and click on login button, the plugin try to match result with its own way:

if ( 0 == strcasecmp( trim( cptch_decode( $_REQUEST['cptch_result'], $str_key, $_REQUEST['cptch_time'] ) ), $_REQUEST['cptch_number'] ) ) {
/* Captcha was matched */
$_SESSION['cptch_login'] = true;
return $user;
}

in the above code you can see the plugin use ‘cptch_decode’ to match result, and what is cptch_decode function code?

function cptch_decode( $String, $Key, $cptch_time ) {
/* Check if key for encoding is empty */
if ( ! $Key ) die ( __( "Decryption password is not set", 'captcha' ) );</p>
<p dir="ltr">$Salt    =    md5( $cptch_time, true );
$StrLen    =    strlen( $String );
$Seq    =    $Key;
$Gamma    =    '';
while ( strlen( $Gamma ) &lt; $StrLen ) {
$Seq = pack( "H*", sha1( $Seq . $Gamma . $Salt ) );
$Gamma.= substr( $Seq, 0, 8 );
}</p>
<p dir="ltr">$String = base64_decode( $String );
$String = $String^$Gamma;</p>
<p dir="ltr">$DecodedString = substr( $String, 1 );
$Error = ord( substr( $String, 0, 1 ) ^ substr( pack( "H*", sha1( $DecodedString ) ), 0, 1 ));</p>
<p dir="ltr">if ( $Error )
return false;
else
return $DecodedString;
}

And what happen if we pass same $cptch_time value to the function?
Yes! we can bypass the captcha by reading cptch_number input value and generate the result and bypass it!

بخوانید:  سایتم هک شده ؟

Plugin Author: The statements presented in this article are incorrect, as apart from $cptch_time, you also need to know the $Key. Without this $Key, everything else does not have any sense. This key is randomly generated once every 24 hours. If you’d like, we could add an option to choose the time of key update – even each 10 minutes, if you’d like that.

Thank you for your fast answer , So question now is : how the robots can bypass captcha and do brute act?

+So what can i do now?

You can use another captcha plugins, or wait to plugin author to solve this issue.

+How the code can be secure?

Plugin author can be use a specific random salt for any plugin installation, in other hand he can
generate the random string per installation instead of using current time

نظرات شما را پذیراییم

نشانی ایمیل شما منتشر نخواهد شد.

*

*