Have you ever wondered how you can get a valid recaptcha token to send a valid HTTP request? While doing web pentest for a client, I figured out this idea that can get you a token so that you can implement it with a Python function of your own to interact with your target. It might be not the best way, but it helped me a lot.
IMPORTANT NOTE: This method works as long as the following option was disabled by the administrators:
Disclaimer: This has been made for ethical hacking purposes. Make sure you have the permissions if you´re using this against a target.
In order to use this script, we need to have the three files: get_token.py, process.php, and token.html in the same folder.
Then, if using a local server, we can start one using the following command:
php -S 0.0.0.0:8888
(You can modify the script if you want to use another port).
Now, we can just type python get_token.py. How it works is that:
- A bot starts a new Firefox instance and visits localhost:8888/token.html.
- Once the site has been loaded. it will immediately submit the invisible recaptcha (make sure you have placed your target key properly in token.html).
- After the submission, we'll get a recaptcha response, and so the bot will auto-fill the fields for username and password and submit the form.
- Once that's been submitted, the recaptcha token will travel along the username and password as a parameter in a get request that will be later processed by process.php.
- Process.php will confirm that the Recaptcha token has been sent, and it will create a file called tokens.txt containing just one line with the most recent token.
- The token will be read from the file and will be returned by the function.
- Our personal function can send a request containing a valid Recaptcha token.
This is how the PHP server looks for the requests made by our bot:
This is how the script looks like with the sample function I added to get_token.py:
