[Feature Request]: Captcha interface #4764
Comments
AZMCode
changed the title
|
Hey, @AZMCode ! I'd like to work on this one, can you assign it to me, please? |
|
I believe I cannot, as I'm not manager of the repository. |
|
@AZMCode The idea of interfacing with Selenium sounds great, but the drawback is that it would require additional drivers to be installed in the user's machine (chromedriver or geckodriver, for instance). Of course we could ask for user's permission to install it, but imho it would not be nice for a UX perspective. What we could do is try to access the browser (if the user itself has those drivers installed) and if not, fallback to the current flow. There could be some observation on the docs regarding this information. What do you think? Also, @huykieuu is searching for some APIs to handle the automatic solving. |
|
Don't do manual solving, request is sent over and over again. |
|
建议使用现在已有的图验证码识别库ddddocr来对短信验证码进行识别 |
Problem
So, in some cases, exploitable fields are protected by Captcha systems. I am aware there is no reliable automatic method of solving captchas, and the rest of this issue will stick to this.
Possible Solution
To start off, sqlmap could detect whether a Captcha page has been reached, possibly by matching the contents of the response with common Captcha providers, or possibly allowing for custom URL/Content matching. When such a situation is detected, I propose sqlmap then hands the redirected URL, current Cookies, and any other necessary data through a public API to another program, possibly within the same system. The captcha-solving program would then handle everything, and hand over a new URL and Cookies to continue testing. This captcha-solving program could just be an interface to Selenium for manual user solving, or a connection to a Captcha-solving service. Either way, sqlmap would only need to maintain an open-source interface.
Possible Solution Alternatives
Possibly sqlmap could handle Selenium by itself, but this would hinder the flexibility of the system and maybe introduce unnecessary complexity to solve the problem. Of course there would be the alternative of directly integrating a commercial Captcha-solving service, but I imagine this is out of the question. Other solutions could be proposed, but AFAIK there's none that couldn't be integrated using the API solution described above.
The text was updated successfully, but these errors were encountered: