My previous question on StackOverflow was about that someone was sending me hundreds of spam emails every few hours. Now, I fixed the script on the server side but the next morning I still got 30 emails or something and my hosting company gave me a new password to my FTP and moved my index files to a backup map(website offline), they said it was hacked because of the suspicious script below. They said "This often happens via a leaked script in your website, a script that is "out of date". What does that mean? They say in the email that there is something with this script file. Which is impossible to hack in right because I used reCaptcha on the server side, is there something missing?
<?php
if(isset($_POST['g-recaptcha-response'])){
$captcha=$_POST['g-recaptcha-response'];
}
/* OUTCOMMENTED CODE BELOW DOESN'T LET FORM SEND IF EVERYTHING IS CHECKED????
if(!$captcha){
echo '<h2>Check captcha .</h2>';
exit;
}*/
$response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=(SECRETKEY)&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
if($response.success==false)
{
echo '<span id="status" style="font-size:1vmax;color:red;">ReCaptcha ERROR</span>';
}else
{
if( isset($_POST['n']) && isset($_POST['e']) && isset($_POST['mn']) &&
isset($_POST['m']) ){
$n = $_POST['n']; // HINT: use preg_replace() to filter the data
$e = $_POST['e'];
$mn = $_POST['mn'];
$m = nl2br($_POST['m']);
$to = "gesternl@gester.nl";
$from = $e;
$subject = 'Contact Formulier-eng';
$message = '<b>Naam:</b> '.$n.' <br><b>Email:</b> '.$e.' <br><b>Mobiel-nummer:</b> '.$mn.' <p>'.$m.'</p>';
$headers = "Van: $from\n";
$headers .= 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
if( mail($to, $subject, $message, $headers) ){
echo "success";
} else {
echo "The server failed to send a message. Please try again later. Thank you!";
}
}
}
?>
I just uploaded it again to see what is going to happen now. Can someone please help me make this file secure for a hacker. Nobody really helped in the previous question but only gave advice without code (and I am nooby).
(The outcommented code around line 8 doesn't work which i don't understand, does someone know why is that why someone can hack into it maybe?)
And yes the code in the HTML for recaptcha is well linked with the public key
- You've to sanitizing user input as said @kevin Cai
You've an error in line:
if($response.success==false)$response=file_get_contents("......"); $result = json_decode($response); if($result->success==false){
$response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=(SECRETKEY)&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
if($response.success==false)
This fragment of code is an unfortunate bit of nonsense that has found its way into a lot of (terrible) tutorials. It provides no protection whatsoever -- the condition is always false, because $response.success is interpreted as concatenating the constant success to the API response returned by the reCaptcha API. This will cause the CAPTCHA to be always treated as valid, regardless of the user's input.
Use the Google reCaptcha library to verify responses from the reCaptcha API. It is available at: https://github.com/google/recaptcha
You're not sanitizing user input, for one. You should fix that right away as it's a security flaw.
来源:https://stackoverflow.com/questions/51050393/my-server-side-php-still-got-hacked-after-recaptcha-hundreds-spam-emails