Captcha Bypass Using Tesseract OCR and Python

import cv2
import pytesseract
from urllib.request import urlopen
import numpy as np
from bs4 import BeautifulSoup
import requests
import urllib.parse
import re

#burninator August 2022

#captcha bypass: by hitting the validation check API directly PLUS using OCR AI library to read the captcha


#contact_check_page = requests.get('https://ip-lookup.net/')

#testRegexTheCode = '/RECAPTCHACODE/RECAPTCHA.png'
#x = re.findall("[0-9]+",testRegexTheCode)
#print(str(x[0]))

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0'}


# STEP ONE - get the recaptcha image text value first, before the .cgi check (order matters!)

#thesoupson = open('TARGET/TARGET.htm', 'r')
thesoupofcontact = requests.get('TARGET/', headers=headers) #also tested and working
thesoupson = thesoupofcontact.text
#for line in thesoupson:
#    print (str(line))

soup = BeautifulSoup(thesoupson, "html.parser")
images = soup.findAll('img')
for image in images:
    if ('recaptcha.png' in image['src']):
        print(str('target captcha ' + image['src']))
        targetCaptcha = image['src']
        recaptchaCodeMatch = re.findall("[0-9]+",targetCaptcha)
        print(str(recaptchaCodeMatch[0]))
        fromRecaptchaUrl = recaptchaCodeMatch[0]

#thesoupson.close()

pytesseract.pytesseract.tesseract_cmd = r'C:\PROGRA~1\Tesseract-OCR\tesseract.exe' #set env vars here because... MEH!

# Loading image using OpenCV
req = urlopen('https://TARGET+targetCaptcha)
arr = np.asarray(bytearray(req.read()), dtype=np.uint8)

img = cv2.imdecode(arr, -1)

#cv2.imshow('lalala', img)
if cv2.waitKey() & 0xff == 27: quit()

#img = cv2.imread('recaptcha.png')

# Converting to text
answerToRecaptcha = pytesseract.image_to_string(img)

print(str("this is the captcha text TEEHEE!" ) + answerToRecaptcha)

#STEP TWO - get the CGI value - usually loaded from Javascript from the
#CGI request is tested and working, tho i just added that cgisouprequestvar:
cgisouprequest = requests.get('https://TARGET/check.cgi')
cgisoup = cgisouprequest.text
print(cgisoup)

#cgisoup = open('TARGET/contact_check.cgi', 'r')
soupses = BeautifulSoup(cgisoup, "html.parser")
inputs = soupses.findAll('input')
for input in inputs:
    print (str(input['value']))
    thevalue = str(input['value'])

#cgisoup.close()

encodeme = urllib.parse.quote(thevalue, safe="")


contactCheckValue = encodeme
print(str(contactCheckValue))

#STEP THREE - build out the POST request with the stuff with the two variables + that same randomized User-Agent string

# also consider building this into either a Burp extension or Turbo Intruder (most likely an extension since it allows calling python modules or other treats from the path)

Ollydebug and Email Verification Bypass

Ollydebug combined with Pywin32 are great for finding hidden buttons on desktop applications that are invisible but still active. That Python library makes it easy to access and use them. (I haven't done that much research with desktop applications, and I'm almost positive a tool already exists to do these things in a more automated way, but this is one pretty heinous way, mclovin.py...)

import time

import win32con

import win32gui

import win32api

import win32process

import winxpgui

import struct

import pywintypes

mclovin, cmd = win32.api.CreateProcess(

None, #name

cmd,

None, #process attributes 

None, #thread attributes

0, #inheritance flag

0, #creation flag SW_NORMAL  #invisible, but I can still write to it: 1

win32con.SHOW_MINIMIZED

None, #new environment

None, #current directory

win32process.STARTUPINFO()

)

 

#brunningonline.net

def getEditText(hwnd):

    result = []

    bufferlength = struct.pack('i',255)

    linecount = win32gui.SendMessage(hwnd, win32con.EM_GETLINECOUNT, 0,0)

    linetext = linetext+"".ljust(253)

    linelength = win32gui.SendMessage(hwnd, win32con.EM_GETLINECOUNT, line, linetext)

    result.append(linetext[:linelength])

    return result

def wcallb(hwnd, handle):

    if (win32gui.GetClassName(hwnd) == 'Edit'):

         handle[win32gui.GetClassName(hwnd)+str(hwnd)] = hwnd

    else:

        handle[win32gui.GetClassName(hwnd)] = hwnd

 

    try:

        win32gui.EnumChildWindows(hwnd, wcallb, handle)

    except:

        print ('?no hijos?')

     return True

 

handle = {}

 

while not handle: #loop until we find the window

    time.sleep(0.1)

    win32gui.EnumThreadWindows(tid, wcallb, handle) #select fro future list of handles, not the top window

    print(handle) 

 

#if tabbing worked, I wouldn't need to find instances of components

#mclovin is a valid handle, but keys aren't sent to the window?

#handle['Button'] <-- Output 'Edit' <-- three 'Static' <-- window

'#32770' <-- dialog

 

#don't trust ordering of the fields, read the label text to determine

#text a:\***.csv

onlyEdits = []

for thehandle in handle.keys():

    if "Edit" in thehandle:

        onlyEdits.append(handle[thehandle])

 

try: 

     for k in onlyEdits:

        testPath = getEditText(k)

        if 'a:\***.csv' in testPath:

            editPath = k

except:

    print('couldn't find it)

 

#delete the current text which is at most 20 chars, replace with my own keystrokes

 

for c in range(20):

    win32api.PostMessage(

         editPath,

         win32con.WM_KEYDOWN,

         win32con.VK_DELETE,

         0 

         )

    win32api.PostMessage (

         editPath,

         win32con.WM_KEYUP,

         win32con.VK_DELETE,

         0 

         )

for escritarme in "*****\mclovinUSA.txt": 

    win32api.SendMessage(

         editPath

         win32con.WM_CHAR,

         ord(escritarme),

         0

)

Whew that's an ugly script. Anyway, unrelated, but a major social media network implies a lot of verification steps to the user, but if the user clicks the help link to exit the process early and get to the main site, it's clear that the account has already been created and can be used without further verification.

Basic SQL Injection and XSS : OWASP Juice Shop and Beyond!

I've been learning how to use Burp Suite to speed up things I used to script. It's not a complete replacement for all projects (see my previous post about about shuffling MMS messages around, or polling scripts to alert me to changes in an upload folder, for example) but it's fantastic so far. A wonderful place to test has been OWASP Juice Shop, an intentionally vulnerable Javascript-based site, which has a score board for the various vulnerabilities found by its users.

One challenge was to find a hidden language file. It was easy to find the directory where the other language files were kept (and thus get the format of the file name, es_ES.json), but significantly more difficult to automate iterating over 4000 or more known language codes such as cs_CZ or es_ES to wait for a 200 OK status to come back.  I would have normally used a Python script here, but it could be tried in Burp Suite's "repeater" tool instead by loading the language codes into a payload and then running a custom packet (although, maybe not: the tricky part would be in the case of fictional languages that may not have a country code associated with it, so random 2-letter combinations may be brute forced faster with a script. Not sure - let me know in the comments if there's a Burp Suite way instead).

Long story short, Juice Shop is great practice tool... but what about other sites?

Hotel Rate and Hidden Variables

One hotel's reservation page can be edited so that it charges an incorrect room rate. This happens by editing two variables; one javascript variable for islovelyrate can be set to true, and, likewise, the lovelyrate variable can be set to any number. The islovelyrate variable forces a recalculation of the price just before the payment page, which then uses whatever rate amount the client-side code provided. There may be further server-side validation to prevent the bad amount from going through, but I stopped short of entering payment information, so I don't know.

Rental Site - SQLi, PHP

This one is full of fascinating issues. It is vulnerable to SQL injection, and has verbose SQL and PHP errors, which lead to finding the publicly readable directories where the .php files are stored. This included old copies of the PHP scripts, labeled as "reserve.php OLD" as opposed to "reserve.php". Because the file extension wasn't .php, the server allowed me to download and view the code in the old copies, instead of executing the PHP. It turns out that the old code must be very similar to the new version, because it was vulnerable to the same attacks that the old one was. The scripts included parameter names for PHP session variables, full SQL queries, other directories on the server, etc. Luckily no credentials were hard coded. Errors from trying to run PHP scripts as one-offs lead to more verbose errors which lead to several more readable directories with PHP scripts, including the admin section, and scripts for sending SMS to guests from the site (which functioned, as demonstrated with a temporary phone number). There was little to no input validation, so the product could be reserved for dates with a sooner start date than ending date, causing the product's final cost to be calculated as 0.00. Additionally, there were no upper bounds on date, so trying to get a quote for Dec 1, 1500 to Dec 1, 2020 seemed to cause a soft crash for a little while.

This site's one saving grace is that it did not allow me to upload my own file to one of these seemingly wide-open directories, despite the HTTP OPTIONS request returning POST. However, with a little more effort, I'm almost positive there would be a way to.

Organization - XSS, SQLi

This one was unusual. The SQL error returned revealed that the URL parameter passed to it was being used in various parts of the query in different ways, sometimes as a part of a column name, table name, or in the where clause parameter itself. I don't think I've ever seen that before, and at first, it was difficult to see how to SQL inject something like this. It was interesting that there were a lot of joins in the query, which showed a lot of table names. Other pages where more easily SQL injectable (with things like ‘ or ‘1’=‘1 (I couldn’t escape the end of the query with a - - comment, so I used the ending apostrophe). On one of these pages with a simpler query, I was able to SQL inject with a UNION which returned a different table's data (despite it only being designed to return one value, it luckily listed all of them). I got a privilege error when my output command failed to write the results to a file (which is okay because it was already displaying multiple results), but that gave me the current database user's account name.

A simple XSS attack worked in the search box of the site, mainly because it caused a SQL error which then executed the contents of the <script> tag when it displayed. I wonder if I would be able to insert the script tag so it would persist in the database, and execute for other users.

 

 

 

Where Did Wiki Scanner Go?

A guy named Virgil in early 2000's created a scandalous project called WikiScanner. All it does it look at anonymous Wiki edits for a certain ip ranges to figure out what companies were editing their own Wikipedia pages (obviously the ip addresses were cross referenced against a whois or something).

It doesn't seem to exist anymore. It got taken down I think. All I found is a bad quality copycat with injectable debugging statements:

Table 'wikiscanneres_wiki.org3' doesn't exist

SELECT name, ip_from from org3 where '2433878598' between ip_from and ip_to order by ip_from DESC limit 1

Yikes, TMI, error code...

Anyway, this is easy to replicate yourself using the Requests library in Python. Get a sample of the IP of the network you'd like to know more about, and take a walk around the "block":

(where xxx.xx.xx.xxx is the IP)

for i in range (0,256):
        r = requests.get('http://en.wikipedia.org/wiki/Special:Contributions/xxx.xx.xx.' + str(i))

Refine the crawler to look for related articles, with key words that are relative to your interest.