I have some strings and some hashes of them, but I don't know which hash function is used. Any idea?
String hash
NN34W f8b46bcdc3b3c92
EM3M3 d8015ca876fd051
HXDKD a740e97464e5dfe
AKREJ aa7aa2dadfcbe53
3bNMK 0f11440639191d9
Edit:
Thank for answers, it's a hash of the captcha.
https://registracia.azet.sk/
If you check URL of captcha image, on the end is HASH value. This
On the server are send in HTTP POST are send TEXT: (P92M4) and HASH (72fec89a2e0ade2) and other values.
I like know how comptute hash of the TEXT P92M4, and cont开发者_如何转开发rol with HASH value, which is send on server.
Because I like make own captcha system for my school project, so I first analyzing situation and weakness.
As I understand your situation, a POST request sends both the "text" and the "hash" to the CAPTCHA server. This then uses whatever hash function they use to hash your text, checks to see if it matches the hash, and decides whether or not you succeeded. Presumably, the server sends you the image, as well as the hash, and then you enter the text.
As such, if you figured out the hashing function, you'd have completely broken this CAPTCHA system: All you would need to do is hash any string using their hashing function, and then when sending your POST request, ignore the hash they sent you and merely send them your computed text and hash pair. Thus, you could very easily automate successfully passing the CAPTCHA challenge.
To illustrate how difficult "reversing" the hash might be, consider the following hash that they very well might use:
- Split the TEXT up alternating letters: thus ABCDE becomes ACE and BD
- md5 the two halves using salts "fj49w0utw4a" and "r8h3wlsd"
- md5("fj49w0utw4a"."ACE") is 115c05f0e5300f958ba01caa64b989f
- md5("r8h3wlsd"."BD") is 74eecae86ef46382eb95443a1b1fa8f5
- Take every 3rd char of the first string and every 4th char of the second, and alternate them until you have 15 chars
- 115c05f0e5300f958ba01caa64b989f becomes 55e09b1ab9
- 74eecae86ef46382eb95443a1b1fa8f5 becomes e8425af5
- Final hash value for "ABCDE": 5e58e40295ba1fa
There is really no way you are ever going to reverse engineer that.
UPDATE
Note that CAPTCHAs as described above (and implemented on that site) are extremely insecure, as they only require one valid text/hash combination to be known
To demonstrate, use Firebug or equivalent and navigate to the CAPTCHA area of the form. We will be editing some hidden values.
- Change the
form[captcha_url]
value fromhttps://pokec.azet.sk/sluzby/system/captcha/[somehash]
tohttps://pokec.azet.sk/sluzby/system/captcha/ee2be1f239e5d17
- Change the
form[captcha_hash]
value from[somehash]
toee2be1f239e5d17
- Regardless of what the picture says, type "P22KD" for the CAPTCHA
There are several ways to mitigate this vulnerability. As Tangrs suggested, you can store the hash value in a session variable so that it cannot be manipulated by the client. Less elegant but also effective is to store the submitted CAPTCHA in a database and not allow duplicate CAPTCHAs, as is implemented on the link in the question. This is fine, until you start running out of unused CAPTCHAs and end up getting collisions.
Seems smaller than any industry hash... possibly it's propriety? A bit more info would help though, what language, where did you get it from?
精彩评论