Added a bad CAPTCHA vulnerability

dvwa/includes/dvwaPage.inc.php

@@ -197,6 +197,7 @@ function dvwaHtmlEcho( $pPage ) {
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'upload', 'name' => 'File Upload', 'url' => 'vulnerabilities/upload/' );
+		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'badcaptcha', 'name' => 'Bad CAPTCHA', 'url' => 'vulnerabilities/badcaptcha/' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/' );

external/simple-php-captcha/.gitignore

@@ -0,0 +1,3 @@
+.DS_Store
+simple-php-captcha.sublime-project
+simple-php-captcha.sublime-workspace

external/simple-php-captcha/composer.json

@@ -0,0 +1,7 @@
+{
+    "name": "abeautifulsite/simple-php-captcha",
+    "description": "A simple PHP CAPTCHA script",
+    "version": "1.0.0",
+    "homepage": "http://www.abeautifulsite.net/",
+    "license": "MIT"
+}

external/simple-php-captcha/index.php

@@ -0,0 +1,137 @@
+<?php
+session_start();
+$_SESSION = array();
+
+include("simple-php-captcha.php");
+$_SESSION['captcha'] = simple_php_captcha();
+
+?>
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Example &raquo; A simple PHP CAPTCHA script</title>
+    <style type="text/css">
+        pre {
+            border: solid 1px #bbb;
+            padding: 10px;
+            margin: 2em;
+        }
+
+        img {
+            border: solid 1px #ccc;
+            margin: 0 2em;
+        }
+    </style>
+</head>
+<body>
+    <h1>
+        CAPTCHA Example
+    </h1>
+
+    <h2>Usage</h2>
+
+    <p>
+        The following code will prepare a CAPTCHA image and keep the code in a session
+        variable for later use:
+    </p>
+
+<pre>
+&lt;?php
+session_start();
+include("simple-php-captcha.php");
+$_SESSION['captcha'] = simple_php_captcha();
+?&gt;
+</pre>
+
+    <p>
+        After the call to <code>simple_php_captcha()</code> above,
+        <code>$_SESSION['captcha']</code> will be something like this:
+    </p>
+
+<pre>
+<?php
+print_r($_SESSION['captcha']);
+?>
+</pre>
+
+    <p>
+        To display the CAPTCHA image, create an HTML <code>&lt;img&gt;</code> using
+        <code>$_SESSION['captcha']['image_src']</code> as the <code>src</code> attribute:
+    </p>
+
+    <p>
+        <?php
+        echo '<img src="' . $_SESSION['captcha']['image_src'] . '" alt="CAPTCHA code">';
+
+        ?>
+    </p>
+
+    <p>
+        To verify the CAPTCHA value on the next page load (or in an AJAX request), test
+        against  <code>$_SESSION['captcha']['code']</code>. You can use
+        <code>strtolower()</code> or <code>strtoupper()</code> to perform a
+        case-insensitive match.
+    </p>
+
+    <h2>Configuration</h2>
+    <p>
+        Configuration is easy and all values are optional. To specify one or more options,
+        do this:
+    </p>
+
+<pre>
+&lt;?php
+
+$_SESSION['captcha'] = simple_php_captcha( array(
+    'min_length' => 5,
+    'max_length' => 5,
+    'backgrounds' => array(image.png', ...),
+    'fonts' => array('font.ttf', ...),
+    'characters' => 'ABCDEFGHJKLMNPRSTUVWXYZabcdefghjkmnprstuvwxyz23456789',
+    'min_font_size' => 28,
+    'max_font_size' => 28,
+    'color' => '#666',
+    'angle_min' => 0,
+    'angle_max' => 10,
+    'shadow' => true,
+    'shadow_color' => '#fff',
+    'shadow_offset_x' => -1,
+    'shadow_offset_y' => 1
+));
+
+&gt;
+</pre>
+
+    <h2>Notes</h2>
+    <ul>
+        <li>
+            <strong>Important!</strong> Make sure you call <code>session_start()</code> before
+            calling the <code>simple_php_captcha()</code> function
+        </li>
+        <li>
+            Requires PHP GD2 library
+        </li>
+        <li>
+            Backgound images must be in PNG format
+        </li>
+        <li>
+            Fonts must be either TTF or OTF
+        </li>
+        <li>
+            Backgrounds and fonts must be specified using their full paths (tip: use
+            <code>$_SERVER['DOCUMENT_ROOT'] . '/' . [path-to-file]</code>)
+        </li>
+        <li>
+            Angles should not exceed approximately 15 degrees, as the text will sometimes
+            appear outside of the viewable area
+        </li>
+        <li>
+            Creates a function called <code>simple_php_captcha()</code> in the global namespace
+        </li>
+        <li>
+            Uses the <code>$_SESSION['simple-php-captcha']</code> session variable
+        </li>
+    </ul>
+
+</body>
+</html>

external/simple-php-captcha/readme.md

@@ -0,0 +1,14 @@
+# A simple PHP CAPTCHA script
+
+_Written by Cory LaViska for A Beautiful Site, LLC.  (http://abeautifulsite.net/)_
+
+_Licensed under the MIT license: http://opensource.org/licenses/MIT_
+
+## Demo and Usage
+
+http://labs.abeautifulsite.net/simple-php-captcha/
+
+## Attribution
+
+ - Special thanks to Subtle Patterns for the patterns used for default backgrounds: http://subtlepatterns.com/
+ - Special thanks to dafont.com for providing Times New Yorker: http://www.dafont.com/

external/simple-php-captcha/simple-php-captcha.php

@@ -0,0 +1,172 @@
+<?php
+//
+//  A simple PHP CAPTCHA script
+//
+//  Copyright 2011 by Cory LaViska for A Beautiful Site, LLC
+//
+//  See readme.md for usage, demo, and licensing info
+//
+function simple_php_captcha($config = array()) {
+
+    // Check for GD library
+    if( !function_exists('gd_info') ) {
+        throw new Exception('Required GD library is missing');
+    }
+
+    $bg_path = dirname(__FILE__) . '/backgrounds/';
+    $font_path = dirname(__FILE__) . '/fonts/';
+
+    // Default values
+    $captcha_config = array(
+        'code' => '',
+        'min_length' => 5,
+        'max_length' => 5,
+        'backgrounds' => array(
+            $bg_path . '45-degree-fabric.png',
+            $bg_path . 'cloth-alike.png',
+            $bg_path . 'grey-sandbag.png',
+            $bg_path . 'kinda-jean.png',
+            $bg_path . 'polyester-lite.png',
+            $bg_path . 'stitched-wool.png',
+            $bg_path . 'white-carbon.png',
+            $bg_path . 'white-wave.png'
+        ),
+        'fonts' => array(
+            $font_path . 'times_new_yorker.ttf'
+        ),
+        'characters' => 'ABCDEFGHJKLMNPRSTUVWXYZabcdefghjkmnprstuvwxyz23456789',
+        'min_font_size' => 28,
+        'max_font_size' => 28,
+        'color' => '#666',
+        'angle_min' => 0,
+        'angle_max' => 10,
+        'shadow' => true,
+        'shadow_color' => '#fff',
+        'shadow_offset_x' => -1,
+        'shadow_offset_y' => 1
+    );
+
+    // Overwrite defaults with custom config values
+    if( is_array($config) ) {
+        foreach( $config as $key => $value ) $captcha_config[$key] = $value;
+    }
+
+    // Restrict certain values
+    if( $captcha_config['min_length'] < 1 ) $captcha_config['min_length'] = 1;
+    if( $captcha_config['angle_min'] < 0 ) $captcha_config['angle_min'] = 0;
+    if( $captcha_config['angle_max'] > 10 ) $captcha_config['angle_max'] = 10;
+    if( $captcha_config['angle_max'] < $captcha_config['angle_min'] ) $captcha_config['angle_max'] = $captcha_config['angle_min'];
+    if( $captcha_config['min_font_size'] < 10 ) $captcha_config['min_font_size'] = 10;
+    if( $captcha_config['max_font_size'] < $captcha_config['min_font_size'] ) $captcha_config['max_font_size'] = $captcha_config['min_font_size'];
+
+    // Generate CAPTCHA code if not set by user
+    if( empty($captcha_config['code']) ) {
+        $captcha_config['code'] = '';
+        $length = mt_rand($captcha_config['min_length'], $captcha_config['max_length']);
+        while( strlen($captcha_config['code']) < $length ) {
+            $captcha_config['code'] .= substr($captcha_config['characters'], mt_rand() % (strlen($captcha_config['characters'])), 1);
+        }
+    }
+
+    // Generate HTML for image src
+    if ( strpos($_SERVER['SCRIPT_FILENAME'], $_SERVER['DOCUMENT_ROOT']) ) {
+        $image_src = substr(__FILE__, strlen( realpath($_SERVER['DOCUMENT_ROOT']) )) . '?_CAPTCHA&amp;t=' . urlencode(microtime());
+        $image_src = '/' . ltrim(preg_replace('/\\\\/', '/', $image_src), '/');
+    } else {
+        $_SERVER['WEB_ROOT'] = str_replace($_SERVER['SCRIPT_NAME'], '', $_SERVER['SCRIPT_FILENAME']);
+        $image_src = substr(__FILE__, strlen( realpath($_SERVER['WEB_ROOT']) )) . '?_CAPTCHA&amp;t=' . urlencode(microtime());
+        $image_src = '/' . ltrim(preg_replace('/\\\\/', '/', $image_src), '/');
+    }
+
+    $_SESSION['_CAPTCHA']['config'] = serialize($captcha_config);
+
+    return array(
+        'code' => $captcha_config['code'],
+        'image_src' => $image_src
+    );
+
+}
+
+
+if( !function_exists('hex2rgb') ) {
+    function hex2rgb($hex_str, $return_string = false, $separator = ',') {
+        $hex_str = preg_replace("/[^0-9A-Fa-f]/", '', $hex_str); // Gets a proper hex string
+        $rgb_array = array();
+        if( strlen($hex_str) == 6 ) {
+            $color_val = hexdec($hex_str);
+            $rgb_array['r'] = 0xFF & ($color_val >> 0x10);
+            $rgb_array['g'] = 0xFF & ($color_val >> 0x8);
+            $rgb_array['b'] = 0xFF & $color_val;
+        } elseif( strlen($hex_str) == 3 ) {
+            $rgb_array['r'] = hexdec(str_repeat(substr($hex_str, 0, 1), 2));
+            $rgb_array['g'] = hexdec(str_repeat(substr($hex_str, 1, 1), 2));
+            $rgb_array['b'] = hexdec(str_repeat(substr($hex_str, 2, 1), 2));
+        } else {
+            return false;
+        }
+        return $return_string ? implode($separator, $rgb_array) : $rgb_array;
+    }
+}
+
+// Draw the image
+if( isset($_GET['_CAPTCHA']) ) {
+
+    session_start();
+
+    $captcha_config = unserialize($_SESSION['_CAPTCHA']['config']);
+    if( !$captcha_config ) exit();
+
+    unset($_SESSION['_CAPTCHA']);
+
+    // Pick random background, get info, and start captcha
+    $background = $captcha_config['backgrounds'][mt_rand(0, count($captcha_config['backgrounds']) -1)];
+    list($bg_width, $bg_height, $bg_type, $bg_attr) = getimagesize($background);
+
+    $captcha = imagecreatefrompng($background);
+
+    $color = hex2rgb($captcha_config['color']);
+    $color = imagecolorallocate($captcha, $color['r'], $color['g'], $color['b']);
+
+    // Determine text angle
+    $angle = mt_rand( $captcha_config['angle_min'], $captcha_config['angle_max'] ) * (mt_rand(0, 1) == 1 ? -1 : 1);
+
+    // Select font randomly
+    $font = $captcha_config['fonts'][mt_rand(0, count($captcha_config['fonts']) - 1)];
+
+    // Verify font file exists
+    if( !file_exists($font) ) throw new Exception('Font file not found: ' . $font);
+
+    //Set the font size.
+    $font_size = mt_rand($captcha_config['min_font_size'], $captcha_config['max_font_size']);
+    $text_box_size = imagettfbbox($font_size, $angle, $font, $captcha_config['code']);
+
+    // Determine text position
+    $box_width = abs($text_box_size[6] - $text_box_size[2]);
+    $box_height = abs($text_box_size[5] - $text_box_size[1]);
+    $text_pos_x_min = 0;
+    $text_pos_x_max = ($bg_width) - ($box_width);
+    $text_pos_x = mt_rand($text_pos_x_min, $text_pos_x_max);
+    $text_pos_y_min = $box_height;
+    $text_pos_y_max = ($bg_height) - ($box_height / 2);
+    if ($text_pos_y_min > $text_pos_y_max) {
+        $temp_text_pos_y = $text_pos_y_min;
+        $text_pos_y_min = $text_pos_y_max;
+        $text_pos_y_max = $temp_text_pos_y;
+    }
+    $text_pos_y = mt_rand($text_pos_y_min, $text_pos_y_max);
+
+    // Draw shadow
+    if( $captcha_config['shadow'] ){
+        $shadow_color = hex2rgb($captcha_config['shadow_color']);
+        $shadow_color = imagecolorallocate($captcha, $shadow_color['r'], $shadow_color['g'], $shadow_color['b']);
+        imagettftext($captcha, $font_size, $angle, $text_pos_x + $captcha_config['shadow_offset_x'], $text_pos_y + $captcha_config['shadow_offset_y'], $shadow_color, $font, $captcha_config['code']);
+    }
+
+    // Draw text
+    imagettftext($captcha, $font_size, $angle, $text_pos_x, $text_pos_y, $color, $font, $captcha_config['code']);
+
+    // Output image
+    header("Content-type: image/png");
+    imagepng($captcha);
+
+}