Cracked a captcha
Micha just implemented an own Captcha-Plugin for wordpress, I just cracked it some minutes later ;)
Micha was annoyed of his previous Captcha-Plugin, neither valid nor beautiful, so he decided to write his own tool for killing bots.
When I saw his new captchas I was wondering wheter he will get further comments. His captchas ask for solution of mathematical problems like \(\sqrt{121} + 95\) or \(228 \div 19\) or \(\frac{136 - 61}{\sin(\pi \div 2)}\).. Who the hell wants to calculate that stuff!? Me not! ;)
So I developed a little userscript that solves this problem. When you take a look to the source code of his website you’ll find something like this:
So you see, there is an image created by an external server, an input field where you can put the solution and an input field of the type hidden with a crypt value (seems like a hash^^). The most of you will see several ways to hack this:
- Parse the string of the image like the external server does to create the \(\LaTeX\)-image. So you’ll get an arithmetic problem, easy to solve.
- Find out what kind of hash is in the value of the secret hidden input-field and try to find a number that matches that hash, maybe via brute force.
- Solve one captcha and fake the rest ;)
Of course the last solution is the easiest one. So I solved on captcha, solution was 7
and the secret key was 9ee4251f80923e6239ae66ab50a357daa6039f04
, hack done!
The development of the userscript was more than simple:
I think that this script won’t work for a long time, so there is no download available ;) If you want to use it, copy&paste, you know.
Ähm, before anybody starts to blame me, a similar workaround kills also my captcha-solution… :P
- blog (17) ,
- hacked (25) ,
- latex (8) ,
- programming (75) ,
- security (31) ,
- userscript (6) ,
- wordpress (15)
Leave a comment
There are multiple options to leave a comment:
- send me an email
- submit a comment through the feedback page (anonymously via TOR)
- Fork this repo at GitHub, add your comment to the _data/comments directory and send me a pull request
- Fill the following form and Staticman will automagically create a pull request for you:
3 comments
Captcha…
Ich habe mir ein neues Captcha-Plugin gebaut. Dieses besteht aus netten Matheaufgaben. Diese gehen immer glatt auf. Ich muss noch etwas an dem Plugin pfeilen. Sagt mir was ihr davon haltet. Die Aufgaben werden via erzeugt. Ich habe das Plugin etwas geä…
I have update my captcha-plugin. Your userscript ist useless :-)
Cracked next Captcha…
Ok, when Micha saw my tiny hack he changed his implementation (as promised) and told me I’m not able to hack it again… Micha, your captcha failed again :P……