0×00:简介
最近的项目实在有点多,小的几千块,大的几百万。有些真心不好做,有些只是写写代码。唉,我是废物。几百万的真心吃不下。
在写代码的时候,有时候会遇到登录验证码的问题。
如图
遇到这种验证码爆破就遇到了障碍。这时候就需要利用第三方的接口来读取了。
0x01:过程
1、调用https://recaptcha.press/ 第三方接口来进行识别。充值100元有10万次识别。10万次,差不多够了吧。不够的话,砸钱就行。
邀请码:83fb7684-cec5-4f04-b367-30f221ba94bd
2、查看开发文档。
代码语言:javascript复制sitekey:是对应要爆破网站上的验证的key,它基本上是唯一不变的值。
sitereferer:是存在验证码的登录网址
authorization:是你在注册后recaptcha.press后台的token
3、案例:
代码语言:javascript复制https://api.recaptcha.press/task/create?siteKey=xxx&siteReferer=https://xxx/&authorization=xxxx
这里可以利用google上的一个demo来测试
代码语言:javascript复制https://www.google.com/recaptcha/api2/demo
首先抓包测试一下请求的数据包
代码语言:javascript复制POST /recaptcha/api2/demo HTTP/2
Host: www.google.com
Cookie: CONSENT=YES RU.zh-CN ; ANID=AHWqTUnpM9M9N3C-XI1rCkTXFhGuNcRs6G1qaZl5z1xVyk1fDziNj5V_6lSXtjnw; SEARCH_SAMESITE=CgQI5pIB; OGPC=19025836-2:; HSID=AEtfKcMzFIAisJ0sY; SSID=AWXIGFx86ZogPHANq; APISID=31uKzg-fH-czuM1v/A5wtp9qsZHC8I472-; SAPISID=r1vn8MWMa2Ew-POQ/AKdhzfpj1TrHqjz4O; __Secure-1PAPISID=r1vn8MWMa2Ew-POQ/AKdhzfpj1TrHqjz4O; __Secure-3PAPISID=r1vn8MWMa2Ew-POQ/AKdhzfpj1TrHqjz4O; SID=CgiY96UAh5cBlZvqBGlNpuydYdXx5NK4Yy3ecA6OCmY_-KxnCy3TECBa18Eavyht0-yLHQ.; __Secure-1PSID=CgiY96UAh5cBlZvqBGlNpuydYdXx5NK4Yy3ecA6OCmY_-KxnDfJCP_QRveawib2Em9O4Pw.; __Secure-3PSID=CgiY96UAh5cBlZvqBGlNpuydYdXx5NK4Yy3ecA6OCmY_-Kxn44HHqDFwr0RfGD-RZ-SGMw.; __Secure-1PSIDCC=AJi4QfGokJd9C35wlb5d9h3DHw3SEZf3EJy2LVhlZWiyH2ayd2hHQKBshYLdfWzcODD3pvZH0g; 1P_JAR=2021-10-15-14; NID=511=DiSRu6xApatENcVooK3RWWy2gUblaW4ZPEFTXxkeFN3bBctyNvt2lhcj9-imILF3P2-4Z8N7HrWK1MEI3HKjvVGCy0Kp7AIxORpIWsvLOUYHD6DFBgBKsXZGMc_2pdIVKjW16IxaPH0mujj7iIH3fi-35-OFEMkDU9vcy4qkUiMZ43Go-pwGg36T-ewMRzYN9lS-WyYB7JJh0xRmKhd34rQEmlty-aWA6QUehKOyIScn1OhazU9vxGAlBnFworFq_46dOXSTZxTjiRSfMMyIxj5C1zjqNP5wV-xgLwpmyutY_z7aqAbeIzfvJ-ZbR8hmpkjnkX8W23LIIpS1wCM6H5EU1bmM-GbtT5pyEK5Uo24gDm5NAk9K8H0XBzMVjugt6Qa-GViqWw468Zi_B-N9FhfzEwCf3QEsH3kj; SIDCC=AJi4QfG8jGOWImkc7hw3ieo5wdDNEvnZjH3apRSQn1EIe-_6lr8U2cBfn6veGdsdzmnlATytgkg; __Secure-3PSIDCC=AJi4QfEBQM-Us4fp4lZ--ItS2gEOBry1W5U5jVGC4C6_VdtvKDAcIh8li2QTnORvVsdUUQxYT7s
Content-Length: 1614
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://www.google.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
X-Client-Data: CIy2yQEIpbbJAQjEtskBCKmdygEIu/rKAQjv8MsBCOvyywEI7/LLAQiQ9MsBCJ75ywEIj/rLAQjchMwBCOeEzAEI YTMAQi2hcwBCNWFzAEI/4XMAQiAhswB
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.google.com/recaptcha/api2/demo
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
g-recaptcha-response=03AGdBq24Gl5F26uNBzV6TbAosWrVLJ1ec8FcLvOtpGJEQHcsT54V9ub7krlX8mRShP7Vjeo1Lz68am0RJ4t1l27N1uR9AdRXSonAxUO00ve-eOcvOoh_nFaOpgZPuONpGPHk3d07DOIT5Uqp-JtjRw4SvA4-YPHXLoubrv-j2P5KyYC4H6tMD6PvhBwA8ZeTHWs9PPyzy3Xa2jqfA85viWt7l9KA1WG7zgLz1pNy3UIq7xQi4nAcqj8y-XpFoyVeOBrA6Axztz4_o3qCgt6IUobvRMgftXFFZvG4giwauibQkOQMbxfcnjbJegedBlSGz8Mjn3xdFzW5yo9Ht_687GvwwZgar-NGpjpbSmwdiq_lJw0uy8QLgFt4JgPThd-dWsKEz4TUz6okhrR4zLPCLPTaxj7DbYwtOd-Mnfxk_iHW0iUbikq-RcHNQhnzx8-_nn91rRLpuJ4J2oDCkriXrseHTX13FpXM-wuRf3fqmhaCytSiNmSrVkIObWC2J7suS6_rN-CiPbYaH9P8WPRXdJ__FuNuXrs1l3FnSQcLPAyK_iRpgMJE0aV9oJVIJ6betVRU0B92dv-wh4V03_46vzyWyXTshIy1jEhlKSGaUENVSi9ev4F8fB-uAOlVektqPLD-LLzYwGokviBR5SrjhX4vt7IvdUjE2jTToznn_recRak8rdsFhAbVpYl-3SpR-0VEVk_8-FD-VpGfKMwrOhnJ3pcPnpi3VW2rOJkfmTqYiEZbNaXIr3ZpbpkiAtskffS85YhfN3XuQW7G7TXwmH8gTsLSDJjgApGvl5C-34bk3X81bCFB5ro-E0qTAszZnkaPD6vGHBxrusM5qD4B86FRfBj5GMSJL95nplX_OvGKPl6lF73l9TpG626Pvwy2COHNkoJwaSLwNjY1fpBQUT0vCdL0yR-sUR5EUgDEqcWZ-24-BmvrdpzaDaYNGl-4u33rRMx1LLRsecscWIx06_I13yUOD1J5U9l5aDrG9sBNSKep84zST0LhLbWCHWekurfk4Loiqx4YKmZHQ929f-IEg0Kd9cgtkjapNn4SzWk100p1x2nGIXDF8Jw-H_sAtP2PoLSRGVTexMvnQ1DhwxQRClh9DN7TEX5xAlb8YSU1c_868Q8FIxGbKzYwUblaaL4TzP08eCBbg3Kqrcl-MOLaDSBiuPj7OPdNDuZ7F69wb00VCTavFwdADru4vTL2M504yl8ENEm97DKxrIjgYNzaqjHnbQs3eYqykoabPvUR26xf74Hr6x18VLguaG7diejaatLDXA7SGBhoUgZE9GHc5r2DEX-ljPRY6qCdDoikNDxzK5pcasdhDbZxlwDd2cbCTeqlU4a2KsRb0CJSMnhriHEGJ4l0G_UE28lXRG10nVry3APUDjyhjKhJ_GF0Ej5zpf5tPl3faAIPtdqCod_6cPpskIUWDV9vcOoAx9aKMTw2E1Rl3RBxhTrAOSjgZX9ndKcyPjSTMjjlmLhtWppKze-lW4JCvuSHIrMSOlrzjxKps4WQwC28_p9IePG9c3Bt-PvRMfQT7nrCpWHx_Adonls-ZKmcfzBvXlZixLMK9QYLl4Y3WnWI
在Post中g-recaptcha-response的值就是前端验证码的识别结果
查找sitekey值,它位于前端的位置。
利用以上的案例构造链接
代码语言:javascript复制https://api.recaptcha.press/task/create?siteKey=6Le-wvkSAAAAAPBMRTvw0Q4Muexq9bi0DJwx_mJ-&siteReferer=https://www.google.com/recaptcha/api2/demo/&authorization=xxxx
authorization是你们自己的token,这里我就不填写了
识别成功后会返回以下数据
代码语言:javascript复制{
"success": true,
"msg": "ok",
"data": {
"taskId": "24d708a1-ff6e-46bb-9e0b-6719b9f8d733" // 请记录此ID
}
}
再利用taskId值去https://api.recaptcha.press/task/status?taskId=识别
代码语言:javascript复制例子:https://api.recaptcha.press/task/status?taskId=861edc57-d0a0-4f6f-b30f-583fb73ec545
这个识别验证码结果的有效期是2分钟内,所以2分钟后又需要再次识别。
4、代码集成
代码语言:javascript复制import requests,re,time
#author:Jaky
def create_task():
url = f"https://api.recaptcha.press/task/create?siteKey=6Le-wvkSAAAAAPBMRTvw0Q4Muexq9bi0DJwx_mJ-&siteReferer=https://www.google.com/recaptcha/api2/demo/&authorization=xxxx"
try:
response = requests.get(url)
if response.status_code == 200:
data = response.json()
#print('response data:', data)
return data.get('data', {}).get('taskId')
except requests.RequestException as e:
print('create task failed', e)
def polling_task(task_id):
url = f"https://api.recaptcha.press/task/status?taskId=" task_id
count = 0
while count < 120:
#print (url)
try:
response = requests.get(url)
if response.status_code == 200:
data = response.json()
#print(data)
status = data.get('data', {}).get('status')
# print('status of task', status)
if status == 'Success':
return data.get('data', {}).get('response')
except requests.RequestException as e:
print('polling task failed', e)
def azuiinternetweeklyclaim(response):
print (response)
if __name__ == "__main__":
task_id = create_task()
response = polling_task(task_id)
azuiinternetweeklyclaim(response)
其中的while count < 120是为了避免一次识别不成功的情况,可循环120次以内的识别。
演示结果:
爆破的时候就可带入response的结果去(Python脚本)爆破了,也可扩展开发burp脚本去爆破。
查看例子登录数据包