Recaptcha automation (normal and invisible) New

This page is intended to demonstrate not only how our API works bypass google recaptcha but also how to use it in a real life situation by completing a web form with reCAPTCHA, both in browser (selenium) and pure requests. Examples are written in C# and Python, for both normal and invisible recaptcha.

Introduction

How does recaptcha work ?

  • As most of you already know, the google captcha is different from other captchas. They ask you to select multiple images... sometimes the images you select refresh after clicking, sometimes they don't, making it trickier then it used to be in the back old days. Another way they do it is instead of showing you the captcha when the page loaded, it shows it only when you click the submit button, which is called invisible recaptcha.
  • After the captcha is completed, g-response-code (a key/string) is being sent with the request as a parameter when the form is submitted.
  • Whichever recaptcha it is, it can be bypassed with our service. There are two things we need from you in order to bypass google recaptcha and the g-response-code.

API usage

  • In order to for our google recaptcha solver to give you the g-response-code, we need two things from your end:
    • page_url - the URL where captcha was encountered
    • sitekey - a key/string that can be gathered from the source of the page, where captcha was found
  • You submit the page_url and site using our API (easiest to use our libraries) to our servers. Once submitted, we return a captcha ID. That captcha ID is used to get the g-response-code. It takes few seconds for our google recaptcha solver to make the g-response-code is available after submission, for our workers to complete it.
  • Gathering the g-response-code from us, now you can bypass the page on which you encountered the captcha, either using a browser or by submitting the form directly with requests.
  • Check our recaptcha API page to find out more about our recaptcha API.

Automation - browser and requests (C# & Python)

Recaptcha v2 - with callback UPDATE

  • With the latest recaptcha updates, google added a new attribute to recaptcha, called data-callback. The data-callback attribute has a JavaScript function, as value, which will be executed as soon as the recaptcha was successfully completed. This allows the developers to submit the form (or do anything in JS for that matter), right after the captcha was completed, without having a Submit button.
  • The work flow for solving remains pretty much the same. In order to bypass the recaptcha in this case, what we have to do is get the g-recaptcha-response from our service, set it in the webpage.
    Here's how to do it with selenium:
    IJavaScriptExecutor e = (IJavaScriptExecutor)d;
    string javascript_code = string.Format("document.getElementById('g-recaptcha-response').innerHTML = '{0}';", g_response_code);
    e.ExecuteScript(javascript_code);
    Secondly, we have to locate the JS function that will be executed after recaptcha completion, which is the value of the data-callback attribute, of the <div> that has the class g-recaptcha in the source code of the page, and looks like this:
    <div class="g-recaptcha" data-sitekey="6Wcq8iACEcBBdBOfRBUfmefezLfl4IdvjuZx4o" data-callback="submit_it();"></div>
    From this part, we have to extract submit_it();, which is the function that is executed once recaptcha is completed. We have to extract the exact name of it, so that we can execute it manually once we've set the g-recaptcha-response.
    To execute JavaScript with selenium, as shown above, we can do it like this:
    e.ExecuteScript(callback_method);
    Here's the source code for this particular way of solving recaptcha:
    d.Navigate().GoToUrl(TEST_PAGE_CALLBACK);               // go to normal test page
    // complete regular data
    d.FindElementByName("first_name").SendKeys("Kevin");
    d.FindElementByName("last_name").SendKeys("O'ryan");
    d.FindElementByName("email").SendKeys("kevin@oryanzzw.com");
    Console.WriteLine("[+] Completed regular info");
    // ---------------------
    
    // get sitekey
    string site_key = d.FindElementByClassName("g-recaptcha").GetAttribute("data-sitekey");
    string callback_method = d.FindElementByClassName("g-recaptcha").GetAttribute("data-callback");
    Console.WriteLine(string.Format("[+] Site key: {0}", site_key));
    Console.WriteLine(string.Format("[+] Callback method: {0}", callback_method));
    
    // complete captcha
    Console.WriteLine("[+] Waiting for recaptcha to be solved ...");
    ImagetypersAPI i = new ImagetypersAPI(IMAGETYPERS_TOKEN);
    string recaptcha_id = i.submit_recaptcha(TEST_PAGE_INVISIBLE, site_key);       // submit recaptcha info
    // while in progress, sleep for 10 seconds
    while (i.in_progress(recaptcha_id)) { Thread.Sleep(10000); }
    string g_response_code = i.retrieve_captcha(recaptcha_id);
    //Console.Write("CODE:"); Console.ReadLine(); string g_response_code = File.ReadAllText("g-response.txt");        // get manually
    Console.WriteLine(string.Format("[+] Got g-response-code: {0}", g_response_code));
    
    // set g-response-code in page source (with javascript)
    IJavaScriptExecutor e = (IJavaScriptExecutor)d;
    string javascript_code = string.Format("document.getElementById('g-recaptcha-response').innerHTML = '{0}';", g_response_code);
    e.ExecuteScript(javascript_code);
    Console.WriteLine("[+] Code set in page");
    
    // submit form
    if(callback_method.Contains("()")) e.ExecuteScript(callback_method);      // execute callback method through javascript
    else e.ExecuteScript(string.Format("{0}();", callback_method));
    
    Console.WriteLine("[+] Form submitted (through JavaScript)");
    
    // show result
    Console.WriteLine("[+] Page source: {0}", d.PageSource);
    Thread.Sleep(5000);

Bypassing Recaptcha v2 - normal

  • We have a page set up for testing the normal recaptcha which can be found here. It's a simple page though, that shows recaptcha too. It requires a first name, last name and email and captcha to be completed. Once the form is submitted, the first name, last name and email and g-response-code are sent with a POST request to the same page, that checks if the g-response-code is OK and returns accordingly.

    <html>
        <head>
            <script src='https://www.google.com/recaptcha/api.js'></script>
        </head>
        <body>
            <form id='test_form' action='?' method='POST'>
                <input type='text' name='first_name' placeholder='First name'>
                <br>
                <input type='text' name='last_name' placeholder='Last name'>
                <br>
                <input type='email' name='email' placeholder='you@email.com'>
                <br>
                <br>
                <div class='g-recaptcha' data-sitekey='6LfgGSUUAAAAADGe-gOmrVEc8YEpfqkSJQ97HfoX'></div>
                <hr>
                <input type='submit' value='Submit'>
            </form>
        </body>
    </html>
  • The important part here is this:
    <div class='g-recaptcha' data-sitekey='6LfgGSUUAAAAADGe-gOmrVEc8YEpfqkSJQ97HfoX'></div>
                                        
  • In fact, this is the only important thing:
    6LfgGSUUAAAAADGe-gOmrVEc8YEpfqkSJQ97HfoX, which is the sitekey. This is the second thing that's needed for us, to complete it. The first one would be the page URL on which it captcha was found, which would be: http://URLLLLLL.com
  • To understand things better, let's take a look on how we could bypass this page in C# using selenium browser:
    d.Navigate().GoToUrl(TEST_PAGE_NORMAL);               // go to normal test page
    // complete regular data
    d.FindElementByName("first_name").SendKeys("Kevin");
    d.FindElementByName("last_name").SendKeys("O'ryan");
    d.FindElementByName("email").SendKeys("kevin@oryanzzw.com");
    Console.WriteLine("[+] Completed regular info");
    // ---------------------
    
    // get sitekey
    string site_key = d.FindElementByClassName("g-recaptcha").GetAttribute("data-sitekey");    
    Console.WriteLine(string.Format("[+] Site key: {0}", site_key));
    
    // complete captcha
    
    Console.WriteLine("[+] Waiting for recaptcha to be solved ...");
    ImagetypersAPI i = new ImagetypersAPI(IMAGETYPERS_TOKEN);
    string recaptcha_id = i.submit_recaptcha(TEST_PAGE_NORMAL, site_key);       // submit recaptcha info
    // while in progress, sleep for 10 seconds
    while (i.in_progress(recaptcha_id)) { Thread.Sleep(10000); }
    string g_response_code = i.retrieve_captcha(recaptcha_id);
    
    //Console.Write("CODE:"); Console.ReadLine(); string g_response_code = File.ReadAllText("g-response.txt");        // get manually
    Console.WriteLine(string.Format("[+] Got g-response-code: {0}", g_response_code));
    
    // set g-response-code in page source (with javascript)
    IJavaScriptExecutor e = (IJavaScriptExecutor)d;
    string javascript_code = string.Format("document.getElementById('g-recaptcha-response').innerHTML = '{0}';", g_response_code);
    e.ExecuteScript(javascript_code);
    Console.WriteLine("[+] Code set in page");
    
    // submit form
    d.FindElementByTagName("form").Submit();
    Console.WriteLine("[+] Form submitted");
    
    // show result
    Console.WriteLine("[+] Page source: {0}", d.PageSource);
    Thread.Sleep(5000);
    1. First we open a browser and go to our test page
    2. The regular fields are completed first
    3. We get the sitekey from the page source
    4. Send sitekey and page_url to our service and wait for completion
    5. Once completed, look for the element with the HTML ID g-recaptcha-response and set it's innerHTML value to be the g-response-code you just received from us.


Bypassing Recaptcha v2 - invisible

  • When it comes to the invisible captcha, it's not very different compared to the normal one. The difference is that instead of getting the sitekey from a <div>, it is gathered from a <button>.
  • To make things more clear, let's look at how the HTML form looks now, with the invisible captcha:
    <html>
        <head>
            <script src='https://www.google.com/recaptcha/api.js'></script>
            <script>
                function onSubmit(token) {
                    document.getElementById('test_form').submit();
                }
            </script>
    
        </head>
        <body>
            <form id='test_form' action='?' method='POST'>
                <input type='text' name='first_name' placeholder='First name'>
                <br>
                <input type='text' name='last_name' placeholder='Last name'>
                <br>
                <input type='email' name='email' placeholder='you@email.com'>
                <br>
                <br>
                <button
                    class='g-recaptcha'
                    data-sitekey='6LfQNSUUAAAAAGYSKeYZ8g9POoOWr2XT9mUbpXzM'
                    data-callback='onSubmit'>
                    Submit
                </button>
            </form>
        </body>
    </html>
                                    
  • We don't have the <div> anymore, but we have the submit button, integrated with the captcha. It contains the sitekey that we need. When the button is pressed, the captcha appears on page. After completion, the form is submited through a JavaScript method. The request goes again with the g-response-code as it did before with the normal captcha.
  • For bypassing invisible recaptcha, let's look at how we could complete it using C# and requests instead of a browser.
    Console.WriteLine("[+] Getting sitekey from test page...");
    string resp = get(TEST_PAGE_INVISIBLE);    // download page first (to get sitekey)
    HtmlDocument d = new HtmlDocument();
    d.LoadHtml(resp);
    
    // get sitekey
    string site_key = d.DocumentNode.SelectSingleNode("//button[@class='g-recaptcha']").GetAttributeValue("data-sitekey", "");
    Console.WriteLine(string.Format("[+] Site key: {0}", site_key));
    
    // complete captcha
    Console.WriteLine("[+] Waiting for recaptcha to be solved ...");
    ImagetypersAPI i = new ImagetypersAPI(IMAGETYPERS_TOKEN);
    string recaptcha_id = i.submit_recaptcha(TEST_PAGE_INVISIBLE, site_key);       // submit recaptcha info
    // while in progress, sleep for 10 seconds
    while (i.in_progress(recaptcha_id)) { Thread.Sleep(10000); }
    string g_response_code = i.retrieve_captcha(recaptcha_id);
    //Console.Write("CODE:"); Console.ReadLine(); string g_response_code = File.ReadAllText("g-response.txt");        // get manually
    Console.WriteLine(string.Format("[+] Got g-response-code: {0}", g_response_code));
    
    // create post request data
    string data = string.Format(
        "first_name=Kevin&" +
        "last_name=O'ryan&" +
        "email=kevin@oryanzzw.com&" +
        "g-recaptcha-response={0}",
        g_response_code);
    
    // submit
    string response = post(TEST_PAGE_INVISIBLE, data);
    Console.WriteLine(string.Format("[+] Response: {0}", response));
    1. Here, we first do a request on the page itself, to get the sitekey from the <button>
    2. Once we have that, we make use the API to send the page_url and sitekey
    3. Upon completion, we submit the request to the website with the fresh g-response-code received from our service
    4. Send sitekey and page_url to our service and wait for completion
    5. Once completed, look for the element with the HTML ID g-recaptcha-response and set it's innerHTML value to be the g-response-code you just received from us.


Summary

We have examples in both C# and Python. Each language has 5 ways of completing the captcha, and that is:

  1. Browser (selenium) normal recaptcha - with callback
  2. Browser (selenium) normal recaptcha, classic, with submit button
  3. Requests normal recaptcha
  4. Browser invisible recaptcha
  5. Requests invisible recaptcha