sqlmap icon indicating copy to clipboard operation
sqlmap copied to clipboard

Published 20 hours ago verified publisher icon sqlmapproject

[Feature Request]: Captcha interface

Open AZMCode opened this issue 3 years ago • 5 comments

Problem So, in some cases, exploitable fields are protected by Captcha systems. I am aware there is no reliable automatic method of solving captchas, and the rest of this issue will stick to this.

Possible Solution To start off, sqlmap could detect whether a Captcha page has been reached, possibly by matching the contents of the response with common Captcha providers, or possibly allowing for custom URL/Content matching. When such a situation is detected, I propose sqlmap then hands the redirected URL, current Cookies, and any other necessary data through a public API to another program, possibly within the same system. The captcha-solving program would then handle everything, and hand over a new URL and Cookies to continue testing. This captcha-solving program could just be an interface to Selenium for manual user solving, or a connection to a Captcha-solving service. Either way, sqlmap would only need to maintain an open-source interface.

Possible Solution Alternatives Possibly sqlmap could handle Selenium by itself, but this would hinder the flexibility of the system and maybe introduce unnecessary complexity to solve the problem. Of course there would be the alternative of directly integrating a commercial Captcha-solving service, but I imagine this is out of the question. Other solutions could be proposed, but AFAIK there's none that couldn't be integrated using the API solution described above.

AZMCode avatar Aug 08 '21 14:08 AZMCode

Hey, @AZMCode ! I'd like to work on this one, can you assign it to me, please?

lucastosetto avatar Jan 19 '22 10:01 lucastosetto

I believe I cannot, as I'm not manager of the repository.

AZMCode avatar Jan 19 '22 16:01 AZMCode

@AZMCode The idea of interfacing with Selenium sounds great, but the drawback is that it would require additional drivers to be installed in the user's machine (chromedriver or geckodriver, for instance). Of course we could ask for user's permission to install it, but imho it would not be nice for a UX perspective. What we could do is try to access the browser (if the user itself has those drivers installed) and if not, fallback to the current flow. There could be some observation on the docs regarding this information. What do you think?

Also, @huykieuu is searching for some APIs to handle the automatic solving.

lucastosetto avatar Jan 21 '22 10:01 lucastosetto

Don't do manual solving, request is sent over and over again. You should get the datas you need with python and pass it to a local captcha solver that the user would have to setup.

e2002e avatar Jul 31 '22 10:07 e2002e

建议使用现在已有的图验证码识别库ddddocr来对短信验证码进行识别

yanbo0723 avatar Aug 14 '22 10:08 yanbo0723