BlueLotus_XSSReceiver/auth.php

<?php
if (!defined('IN_XSS_PLATFORM')) {
    exit('Access Denied');
}

require_once("functions.php");

//设置httponly
ini_set("session.cookie_httponly", 1);
session_start();

//判断登陆情况，ip和useragent是否改变，改变则强制退出
if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
    $_SESSION['isLogin']    = false;
    $_SESSION['user_IP']    = "";
    $_SESSION['user_agent'] = "";
    session_unset();
    session_destroy();
    header("Location: login.php");
    exit();
}

if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === getRealIP()) ) {
    $_SESSION['isLogin']    = false;
    $_SESSION['user_IP']    = "";
    $_SESSION['user_agent'] = "";
    session_unset();
    session_destroy();
    header("Location: login.php");
    exit();
}

//开启CSP
header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'");
header("X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'");
header("X-WebKit-CSP: default-src 'self'; style-src 'self' 'unsafe-inline';img-src 'self' data:; frame-src 'none'");
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
+								<?php
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								if (!defined('IN_XSS_PLATFORM')) {
 								    exit('Access Denied');
-												Version 2.0
实现基本功能
实现了基本界面admin.php
支持查看各种信息，支持自动base64解码

todolist
keepsession
认证
完全启用CSP
我的js
js模板

为实现一些jqxgrid无法实现的功能改动了jqx库，详见diff文件夹

											
										
										
											2015-10-27 12:26:59 +08:00
+								}
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
-												Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

											
										
										
											2016-12-27 21:49:19 +08:00
+								require_once("functions.php");
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//设置httponly
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								ini_set("session.cookie_httponly", 1);
-												Version 2.2
增加登录界面与登录校验

											
										
										
											2015-10-29 00:57:57 +08:00
+								session_start();
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//判断登陆情况，ip和useragent是否改变，改变则强制退出
-												Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

											
										
										
											2016-12-27 21:49:19 +08:00
+								if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
 								    $_SESSION['isLogin']    = false;
 								    $_SESSION['user_IP']    = "";
 								    $_SESSION['user_agent'] = "";
 								    session_unset();
 								    session_destroy();
 								    header("Location: login.php");
 								    exit();
 								}
 								if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === getRealIP()) ) {
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								    $_SESSION['isLogin']    = false;
 								    $_SESSION['user_IP']    = "";
 								    $_SESSION['user_agent'] = "";
 								    session_unset();
 								    session_destroy();
 								    header("Location: login.php");
 								    exit();
-												Version 2.2
增加登录界面与登录校验

											
										
										
											2015-10-29 00:57:57 +08:00
+								}
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//开启CSP
-												Version 3.0.0
1. 完成js模板，我的js模块，可以直接添加修改用于xss的js
2. 采用ace编辑器实现js代码高亮与错误检测
3. 使用js_beautify实现js代码格式化，使用jsmin实现js代码压缩
4. 整合xss'or工具部分功能，自由编码，方便生成最终的payload
5. 增加加密方式RC4，更改默认加密方式为RC4
6. 从旧版本升级并想保留记录的请务必查看Readme里的升级步骤
7. 修复一系列bug

											
										
										
											2016-01-24 01:07:17 +08:00
+								header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'");
 								header("X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'");
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								header("X-WebKit-CSP: default-src 'self'; style-src 'self' 'unsafe-inline';img-src 'self' data:; frame-src 'none'");