MoBiC-21: AIP CAPTCHA bypass
Next participant of the project is AIP captcha. It is Auto-Input Protection (AIP) for ASP.NET. This captcha plugin is using at some amount of sites and all of them are in risk with this insecure captcha
This captcha plugin is vulnerable for Advanced MustLive CAPTCHA bypass method. In current example plugin is using at contact me page. This Insufficient Anti-automation hole I found 30.10.2007
In Advanced MustLive CAPTCHA bypass method you need to use the same ctl00 $ Main $ aip $ input value for every post. And because sites with AIP are using ASP.NET, you need also to bypass (bult-in) CSRF protection also. For this you can use the same __VIEWSTATE and __EVENTVALIDATION values
Insufficient Anti-automation:
AIP CAPTCHA bypass.html
This exploit for educational purposes only
You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example
I found this hole at adamcooper.com which is using AIP captcha
Insufficient Anti-automation:
adamcooper.com CAPTCHA bypass.html
Guys not overdo with this Captcha bypass test. This exploit for educational purposes only
Moral: never make such unreliable captchas.
