2015-10-29 00:57:57 +08:00
|
|
|
|
<?php
|
2016-01-28 02:19:09 +08:00
|
|
|
|
define("IN_XSS_PLATFORM", true);
|
|
|
|
|
|
|
|
|
|
|
|
require_once("load.php");
|
|
|
|
|
|
require_once("functions.php");
|
|
|
|
|
|
|
2015-10-29 00:57:57 +08:00
|
|
|
|
//CSP开启
|
|
|
|
|
|
header("Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
|
|
|
|
|
|
header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
|
|
|
|
|
|
header("X-WebKit-CSP: default-src 'self'; object-src 'none'; frame-src 'none'");
|
|
|
|
|
|
|
2015-10-30 22:46:04 +08:00
|
|
|
|
//设置httponly
|
2016-01-28 02:19:09 +08:00
|
|
|
|
ini_set("session.cookie_httponly", 1);
|
2015-10-29 00:57:57 +08:00
|
|
|
|
session_start();
|
2016-01-28 02:19:09 +08:00
|
|
|
|
|
2015-10-29 00:57:57 +08:00
|
|
|
|
|
2015-10-30 22:46:04 +08:00
|
|
|
|
//判断是否登陆
|
2016-01-28 02:19:09 +08:00
|
|
|
|
if (isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true) {
|
|
|
|
|
|
header("Location: admin.php");
|
|
|
|
|
|
exit();
|
2015-10-29 00:57:57 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-10-30 22:46:04 +08:00
|
|
|
|
//判断ip是否在封禁列表中
|
2016-01-28 02:19:09 +08:00
|
|
|
|
$forbiddenIPList = loadForbiddenIPList();
|
|
|
|
|
|
$ip = $_SERVER['REMOTE_ADDR'];
|
|
|
|
|
|
$is_pass_wrong = false;
|
|
|
|
|
|
if (!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip] <= 5) {
|
|
|
|
|
|
if (isset($_POST['password']) && $_POST['password'] != "") {
|
|
|
|
|
|
if (checkPassword($_POST['password'])) {
|
|
|
|
|
|
$_SESSION['isLogin'] = true;
|
|
|
|
|
|
$_SESSION['user_IP'] = $ip;
|
|
|
|
|
|
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
|
|
|
|
|
|
if (isset($forbiddenIPList[$ip])) {
|
|
|
|
|
|
unset($forbiddenIPList[$ip]);
|
|
|
|
|
|
saveForbiddenIPList($forbiddenIPList);
|
|
|
|
|
|
}
|
|
|
|
|
|
header("Location: admin.php");
|
|
|
|
|
|
exit();
|
|
|
|
|
|
} else {
|
|
|
|
|
|
if (isset($forbiddenIPList[$ip]))
|
|
|
|
|
|
$forbiddenIPList[$ip]++;
|
|
|
|
|
|
else
|
|
|
|
|
|
$forbiddenIPList[$ip] = 1;
|
|
|
|
|
|
saveForbiddenIPList($forbiddenIPList);
|
|
|
|
|
|
$is_pass_wrong = true;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
} else
|
|
|
|
|
|
$is_pass_wrong = true;
|
2015-10-29 00:57:57 +08:00
|
|
|
|
|
2016-01-28 11:27:27 +08:00
|
|
|
|
function loadForbiddenIPList() {
|
2016-01-28 02:19:09 +08:00
|
|
|
|
$logfile = DATA_PATH . '/forbiddenIPList.dat';
|
|
|
|
|
|
!file_exists($logfile) && @touch($logfile);
|
|
|
|
|
|
$str = @file_get_contents($logfile);
|
|
|
|
|
|
if ($str === false)
|
|
|
|
|
|
return array();
|
|
|
|
|
|
|
|
|
|
|
|
$str = decrypt($str);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ($str != '') {
|
|
|
|
|
|
$result = json_decode($str, true);
|
|
|
|
|
|
if ($result != null)
|
|
|
|
|
|
return $result;
|
|
|
|
|
|
else
|
|
|
|
|
|
return array();
|
|
|
|
|
|
} else
|
|
|
|
|
|
return array();
|
2015-10-29 00:57:57 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2016-01-28 11:27:27 +08:00
|
|
|
|
function saveForbiddenIPList($forbiddenIPList) {
|
2016-01-28 02:19:09 +08:00
|
|
|
|
$logfile = DATA_PATH . '/forbiddenIPList.dat';
|
|
|
|
|
|
!file_exists($logfile) && @touch($logfile);
|
|
|
|
|
|
$str = json_encode($forbiddenIPList);
|
|
|
|
|
|
$str = encrypt($str);
|
|
|
|
|
|
@file_put_contents($logfile, $str);
|
2015-10-29 00:57:57 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
|
生成密码
|
|
|
|
|
|
php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='bluelotus';$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;"
|
|
|
|
|
|
*/
|
2016-01-28 11:27:27 +08:00
|
|
|
|
function checkPassword($p) {
|
2016-01-28 02:19:09 +08:00
|
|
|
|
if (isset($_POST['firesunCheck']) && isset($_SESSION['firesunCheck']) && $_SESSION['firesunCheck'] != "" && $_POST['firesunCheck'] === $_SESSION['firesunCheck']) {
|
|
|
|
|
|
//改了这个盐记得改login.js里的,两个要一致
|
|
|
|
|
|
$salt = "!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";
|
|
|
|
|
|
$key = PASS;
|
|
|
|
|
|
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
|
|
|
|
|
|
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
|
|
|
|
|
|
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
|
|
|
|
|
|
return $key === $p;
|
|
|
|
|
|
}
|
|
|
|
|
|
return false;
|
2015-10-29 00:57:57 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-10-30 22:46:04 +08:00
|
|
|
|
//生成挑战应答的随机值
|
2016-01-28 11:27:27 +08:00
|
|
|
|
function generate_password($length = 32) {
|
2016-01-28 02:19:09 +08:00
|
|
|
|
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
|
|
|
|
|
$password = "";
|
|
|
|
|
|
for ($i = 0; $i < $length; $i++)
|
|
|
|
|
|
$password .= $chars[mt_rand(0, strlen($chars) - 1)];
|
|
|
|
|
|
return $password;
|
|
|
|
|
|
}
|
2015-10-29 00:57:57 +08:00
|
|
|
|
?>
|
|
|
|
|
|
|
|
|
|
|
|
<html>
|
|
|
|
|
|
<head>
|
|
|
|
|
|
<meta charset="utf-8" />
|
|
|
|
|
|
<title>登录</title>
|
2016-01-30 00:03:47 +08:00
|
|
|
|
<link rel="stylesheet" href='static/css/font-awesome.min.css' type="text/css" >
|
|
|
|
|
|
<link rel="stylesheet" href="static/css/login.min.css" type="text/css" />
|
2015-10-29 00:57:57 +08:00
|
|
|
|
|
|
|
|
|
|
<script type="text/javascript" src="static/js/jquery.min.js" ></script>
|
2016-01-30 00:03:47 +08:00
|
|
|
|
<script type="text/javascript" src="static/js/login.min.js" ></script>
|
2016-01-28 02:19:09 +08:00
|
|
|
|
<?php
|
|
|
|
|
|
if ($is_pass_wrong)
|
|
|
|
|
|
echo '<script type="text/javascript" src="static/js/pass_is_wrong.js" ></script>';
|
|
|
|
|
|
?>
|
2015-10-29 00:57:57 +08:00
|
|
|
|
</head>
|
|
|
|
|
|
|
|
|
|
|
|
<body>
|
|
|
|
|
|
<div id="loginform">
|
|
|
|
|
|
<div id="logo"></div>
|
|
|
|
|
|
<div id="mainlogin">
|
|
|
|
|
|
<h1>
|
|
|
|
|
|
登录控制面板
|
|
|
|
|
|
</h1>
|
|
|
|
|
|
<form action="" method="post">
|
|
|
|
|
|
<input type="password" placeholder="password" id="password" name="password" required="required">
|
2016-01-28 02:19:09 +08:00
|
|
|
|
<input id="firesunCheck" type="hidden" name="firesunCheck" value=<?php
|
|
|
|
|
|
$firesunCheck = generate_password(32);
|
|
|
|
|
|
$_SESSION['firesunCheck'] = $firesunCheck;
|
|
|
|
|
|
echo json_encode($_SESSION['firesunCheck']);
|
|
|
|
|
|
?> />
|
2016-01-24 01:07:17 +08:00
|
|
|
|
|
|
|
|
|
|
<button type="submit" id="submit" disabled="disabled">
|
2015-10-29 00:57:57 +08:00
|
|
|
|
<i class="fa fa-arrow-right">
|
|
|
|
|
|
</i>
|
|
|
|
|
|
</button>
|
2016-01-24 01:07:17 +08:00
|
|
|
|
|
2015-10-29 00:57:57 +08:00
|
|
|
|
</form>
|
|
|
|
|
|
<div id="note">
|
|
|
|
|
|
<a href="#">
|
|
|
|
|
|
忘记密码?
|
|
|
|
|
|
</a>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
</body>
|
|
|
|
|
|
|
|
|
|
|
|
</html>
|
