ReCAPTCHA Headache

09-11-2018, 08:18 PM

Quietz Wrote: Damn Nolan, I told you like 3 times to NOT use it. Probably with a LITTLE bit of knowledge will telll you that.

09-11-2018, 08:23 PM

Gummy Wrote: "Don't use it" it's already in place wtf XD

09-11-2018, 08:23 PM

Quietz Wrote: Running exploit rn






jk

09-11-2018, 07:44 PM

makasih ya gan , thanks Wrote: I don't know if anyone here is interested/proficient in PHP but I'm throwing Google's ReCAPTCHA on our
website because we've been getting a lot of spam lately and I can't figure this thing out for the life of me.

Apparently, according to [@18568], our contact form backend is full of vulns as well as the functionality
of the PHP script itself is just ass. Here is the code...

PHP Code:

<?php
// Your Email
$recipient = "[email protected]"; // PLEASE SET YOUR EMAIL ADDRESS
$recaptcha_secret_key = '-HIDDEN-'; // PLEASE SET YOUR GOOGLE RECAPTCHA API KEY.

// Recaptcha check up
// Requires curl. If your server does not support curl, this script does not work.
if(isset($_POST["g-recaptcha-response"]) && $recaptcha_secret_key !== '') {
$endpoint = 'https://www.google.com/recaptcha/api/siteverify?secret=' . $recaptcha_secret_key . '&response=' . $_POST['g-recaptcha-response'] ;
$curl = curl_init() ;
curl_setopt( $curl , CURLOPT_URL , $endpoint ) ;
curl_setopt( $curl , CURLOPT_SSL_VERIFYPEER , false ) ;
curl_setopt( $curl , CURLOPT_RETURNTRANSFER , true ) ;
curl_setopt( $curl , CURLOPT_TIMEOUT , 5 ) ;
$json = curl_exec( $curl ) ;
curl_close( $curl ) ;

if(json_decode($json)->success === false) {
returnAndExitAjaxResponse(
constructAjaxResponseArray(
FALSE,
'RECAPTCHA_FAILED',
array('error_message'=> 'RECAPTCHA_FAILED')
)
);
}

$json = json_decode($json);

if(json_decode($json)->success === false) {
returnAndExitAjaxResponse(
constructAjaxResponseArray(
FALSE,
'RECAPTCHA_FAIL_RESPONSE',
array('error_message'=> 'Recaptcha response is not valid.')
)
);
}
}

// Check $recipient
if($recipient === '') {
returnAndExitAjaxResponse(
constructAjaxResponseArray(
FALSE,
'RECIPIENT_IS_NOT_SET',
array('error_message'=> 'RECIPIENT email address is not set. Please configure the script.')
)
);
}

// Check for empty required field
if(!isset($_POST["email"]) || !isset($_POST["fname"]) || !isset($_POST["message"])) {
returnAndExitAjaxResponse(
constructAjaxResponseArray(
FALSE,
'MISSING_REQUIRED_FIELDS',
array('error_message'=> 'MISSING_REQUIRED_FIELDS should not be occurred.')
)
);
}

// Sanitize input
$fname= filter_var($_POST["fname"], FILTER_SANITIZE_STRING);
$lname= filter_var($_POST["lname"], FILTER_SANITIZE_EMAIL);
$website = $_POST["website"];
if (!preg_match("~^(?:f|ht)tps?://~i", $website)) $website = "http://" . $website;
$website = filter_var($website, FILTER_VALIDATE_URL);
$email = filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);
$company = filter_var($_POST["company"], FILTER_SANITIZE_STRING);
$department = filter_var($_POST["department"], FILTER_SANITIZE_STRING);
$message = filter_var($_POST["message"], FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);

// If non required fields are empty
if ( empty($lname) ){
$lname = "No last name entered.";
}
if ( empty($website) ){
$website = "No website entered.";
}
if ( empty($company) ){
$company = "No company entered."
}

// Headers
$headers = 'From: '.$fname.' <'.$email.'>' . "\r\n";
$headers .= 'Reply-To: '.$email.'' . "\r\n";
$headers .= 'X-Mailer: PHP/' . phpversion();

// Subject
$subject = "Contact Form Response";

// Build Message
$email_content = "First Name: $fname\n";
$email_content .= "Last Name: $lname\n";
$email_content .= "Company: $company\n";
$email_content .= "Department: $department\n";
$email_content .= "Website: $website\n";
$email_content .= "Email: $email\n\n";
$email_content .= "Message:\n$message\n\n\n";
$email_content .= "CLIENT IP:\n".get_client_ip()."\n";
$email_content .= "HOST IP:\n".$_SERVER['SERVER_ADDR']."\n";

// Check if sent
try {
$sendmailResult = mail($recipient, $subject, $email_content, $headers);
if( $sendmailResult === TRUE ) {
returnAndExitAjaxResponse(
constructAjaxResponseArray(
TRUE
)
);
} else {
returnAndExitAjaxResponse(
constructAjaxResponseArray(
FALSE,
'ERROR_AT_PHPMAIL',
array('error_information'=> error_get_last() )
)
);
}
} catch (Exception $_e) {
returnAndExitAjaxResponse(
constructAjaxResponseArray(
TRUE,
'ERROR_AT_PHPMAIL',
array('error_message'=> $_e->getMessage())
)
);
}

/*
Construct ajax response array
Input: Result (bool), Message (optional), Data to be sent back in array
*/
function constructAjaxResponseArray ($_response, $_message = '', $_json = null) {
$_responseArray = array();
$_response = ( $_response === TRUE ) ? TRUE : FALSE;
$_responseArray['response'] = $_response;
if(isset($_message)) $_responseArray['message'] = $_message;
if(isset($_json)) $_responseArray['json'] = $_json;

return $_responseArray;
}
/*
Returns in the Gframe ajax format.
Input: data array processed by constructAjaxResponseArray ()
Outputs as a html stream then exits.
*/
function returnAndExitAjaxResponse ($_ajaxResponse) {
if(!$_ajaxResponse){
$_ajaxResponse = array('response'=>false,'message'=>'Unknown error occurred.');
}
header("Content-Type: application/json; charset=utf-8");
echo json_encode($_ajaxResponse);
die();
}


// Function to get the client IP address
function get_client_ip() {
  $ipaddress = '';
  if (isset($_SERVER['HTTP_CLIENT_IP'])) {
    $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
  } else if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
  } else if(isset($_SERVER['HTTP_X_FORWARDED'])) {
    $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
  } else if(isset($_SERVER['HTTP_FORWARDED_FOR'])) {
    $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
  } else if(isset($_SERVER['HTTP_FORWARDED'])) {
    $ipaddress = $_SERVER['HTTP_FORWARDED'];
  } else if(isset($_SERVER['REMOTE_ADDR'])) {
    $ipaddress = $_SERVER['REMOTE_ADDR'];
  } else {
    $ipaddress = 'UNKNOWN';
  }
  return $ipaddress;
}
?>

If anyone has a solution to this let me know! However I got someone messaging me
right now on Discord about the issue.