1. Get parameters through the browser console Network
Open the included webpage, press F12->Network
Get websiteKey
Search keyword anchor
, you can find the websiteKey
in the URL, for example, the k value in the following link is the websiteKey: 6LfW6wATAAAAAHLqO2pb8bDBahxlMxNdo9g947u9
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfW6wATAAAAAHLqO2pb8bDBahxlMxNdo9g947u9&co=aHR0cHM6Ly9yZWNhcHRjaGEtZGVtby5hcHBzcG90LmNvbTo0NDM.&hl=en&v=qljbK_DTcvY1PzbR7IG69z1r&size=normal&cb=3gteobhlohbk
Get websiteURL
websiteURL
:The URL is generally the URL of the current reCaptcha page, and sometimes the URL is inconsistent with the current page URL. If this happens, please check whether the domain name in the https://www.google.com/recaptcha/api2/anchor
request header referer is consistent with the current domain name, if not, the referer shall prevail
referer: https://recaptcha-demo.appspot.com/
Get pageAction
reCaptcha v3
requires a pageAction value. If the value is wrong, it will greatly affect the token score. Search for the keyword grecaptcha
in the source code of the web page, where action: xxxxx is the value we want, for example:
grecaptcha.ready(function() { grecaptcha.execute('6LdpS-gUAAAAAL3Qr2yP7rkrQjkKBVvEY_48JS5l', {action: 'login'}).then(function(token) { }); });
Generally this method often fails to search for pageAction, so other methods are needed
2. Get parameters through automatic recognition functions
Open the webpage where the verification code appears, press the F12 key to enter the console, and enter the custom function findRecaptchaClients()
to execute
function findRecaptchaClients() { // eslint-disable-next-line camelcase if (typeof (___grecaptcha_cfg) !== 'undefined') { // eslint-disable-next-line camelcase, no-undef return Object.entries(___grecaptcha_cfg.clients).map(([cid, client]) => { const data = { id: cid, version: cid >= 10000 ? 'V3' : 'V2' }; const objects = Object.entries(client).filter(([_, value]) => value && typeof value === 'object'); objects.forEach(([toplevelKey, toplevel]) => { const found = Object.entries(toplevel).find(([_, value]) => ( value && typeof value === 'object' && 'sitekey' in value && 'size' in value )); if (typeof toplevel === 'object' && toplevel instanceof HTMLElement && toplevel['tagName'] === 'DIV'){ data.pageurl = toplevel.baseURI; } if (found) { const [sublevelKey, sublevel] = found; data.sitekey = sublevel.sitekey; const callbackKey = data.version === 'V2' ? 'callback' : 'promise-callback'; const callback = sublevel[callbackKey]; if (!callback) { data.callback = null; data.function = null; } else { data.function = callback; const keys = [cid, toplevelKey, sublevelKey, callbackKey].map((key) => `['${key}']`).join(''); data.callback = `___grecaptcha_cfg.clients${keys}`; } } }); return data; }); } return []; } findRecaptchaClients()
Then execute this function findRecaptchaClients()
in consolse to find the corresponding information
[ { "id": "0", "version": "V2", "sitekey": "6Le-wvkSAAAAAPBMRTvw0Q4Muexq9bi0DJwx_mJ-", "function": "onSuccess", "callback": "___grecaptcha_cfg.clients['0']['l']['l']['callback']", "pageurl": "https://www.google.com/recaptcha/api2/demo" } ]
3. Get parameters through Charles (the best way)
The best way is to use Charles packet capture software to obtain detailed data of website packets, but this method has a certain threshold and requires a certain knowledge of network packet capture. How to use Charles?
Get websiteKey
After preparing your Charles, open the website using reCaptcha, and you can capture the data packet sent to Google under the www.google.com
or www.recaptcha.net
domain, where the anchor request can be in Content->Query String
Find the k value, which is websiteKey
, and you can also see the size value, which is normal, so it is not an invisible version.
Get websiteURL
consistent with the above method
Get pageAction
We open a demo site of reCaptcha v3, after triggering verification according to the prompt on the page, the browser will send a reload
request to Google, (In other websites, the triggering methods are different, some may be triggered after the login button is clicked, and some may be triggered automatically when entering the page). The request contains a large amount of encrypted data. Use Charles to click on the data packet, and you can see the data decoded by Charles Protobuf in Content->Protobuf
. The fields 8
data is the correct value of pageAction