Version 2.3
实现keepsession 修复新消息时标题的bug
This commit is contained in:
firesun
16
README.md
16
README.md
@@ -38,8 +38,16 @@ define('ENCRYPT_PASS', "bluelotus");
|
|||||||
* 挑战应答式的登录校验,session绑定ip与useragent
|
* 挑战应答式的登录校验,session绑定ip与useragent
|
||||||
* 密码输错三次封IP,误封请删除`DATA_PATH`/forbiddenIPList.dat文件
|
* 密码输错三次封IP,误封请删除`DATA_PATH`/forbiddenIPList.dat文件
|
||||||
|
|
||||||
|
## keepsession功能
|
||||||
|
* 需要在config.php开启
|
||||||
|
* 如果请求的get或post或cookie中带有keepsession=1,则这条记录会被keepsession
|
||||||
|
* 请设置脚本或者网站监控定期访问keepsession.php
|
||||||
|
* 请将cookie存在cookie参数,url存在location参数(传递方法可get可post可cookie),如`index.php?keepsession=1&cookie=aaa&location=bbb`,keepsession.php将会定期使用cookie aaa去访问bbb
|
||||||
|
* cookie和location参数支持base64编码,keepsession.php会自动判断,自动解码
|
||||||
|
* 如果不设置location,将会使用HTTP Referer作为url
|
||||||
|
* keepsession.php使用`flock($pid, LOCK_EX|LOCK_NB)`实现单例运行(由于windows下不支持无阻塞锁定,所以最好删除keepsession.php里的`set_time_limit(0)`),可自行加上sleep防止keepsession.php被恶意频繁访问
|
||||||
|
|
||||||
## TODO
|
## TODO
|
||||||
* keepsession
|
|
||||||
* 完全启用CSP
|
* 完全启用CSP
|
||||||
* 我的js
|
* 我的js
|
||||||
* js模板
|
* js模板
|
||||||
@@ -52,3 +60,9 @@ define('ENCRYPT_PASS', "bluelotus");
|
|||||||
* 为方便开发与调试,未合并压缩js与css,待最终版发布后合并
|
* 为方便开发与调试,未合并压缩js与css,待最终版发布后合并
|
||||||
* 使用纯真ip库的函数基于Discuz X3.1 function_misc.php上修改而来, 判断客户端操作系统与浏览器的脚本基于原作者@author Jea杨写的php版本修改而来,后台整体布局借鉴Kendo UI 的demo NORTHWIND DASH
|
* 使用纯真ip库的函数基于Discuz X3.1 function_misc.php上修改而来, 判断客户端操作系统与浏览器的脚本基于原作者@author Jea杨写的php版本修改而来,后台整体布局借鉴Kendo UI 的demo NORTHWIND DASH
|
||||||
* Warning: 本工具仅允许使用在CTF比赛等学习、研究场景,严禁用于非法用途
|
* Warning: 本工具仅允许使用在CTF比赛等学习、研究场景,严禁用于非法用途
|
||||||
|
|
||||||
|
## 意见与建议
|
||||||
|
|
||||||
|
欢迎大家在体验过程中提出各种宝贵的意见和建议,以及各种bug!
|
||||||
|
|
||||||
|
反馈邮箱firesun.cn`at`gmail.com
|
||||||
|
|||||||
@@ -80,7 +80,7 @@ require("auth.php");
|
|||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
<span id="rights">Copyright © 2015-2016<br>Powered by <a href="https://github.com/firesunCN" target="_blank">Firesun</a></span>
|
<span id="rights">Copyright © 2015-2016<br>Powered by <a href="http://firesun.me" target="_blank">Firesun</a></span>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|||||||
1
auth.php
1
auth.php
@@ -23,4 +23,5 @@ if(!(isset($_SESSION['isLogin']) && $_SESSION['isLogin']===true && isset($_SESSI
|
|||||||
header("Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'");
|
header("Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'");
|
||||||
header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'");
|
header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'");
|
||||||
header("X-WebKit-CSP: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'");
|
header("X-WebKit-CSP: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'");
|
||||||
|
|
||||||
?>
|
?>
|
||||||
@@ -19,17 +19,29 @@ if (!function_exists('getallheaders')) {
|
|||||||
//判断该记录是否
|
//判断该记录是否
|
||||||
function isKeepSession($info){
|
function isKeepSession($info){
|
||||||
$keepsession=false;
|
$keepsession=false;
|
||||||
foreach($info['cookie_data'] as $k => $v) {
|
|
||||||
if($k==="keepsession")
|
|
||||||
$keepsession=($v==="1"?true:false);
|
|
||||||
}
|
|
||||||
foreach($info['post_data'] as $k => $v) {
|
|
||||||
if($k==="keepsession")
|
|
||||||
$keepsession=($v==="1"?true:false);
|
|
||||||
}
|
|
||||||
foreach($info['get_data'] as $k => $v) {
|
foreach($info['get_data'] as $k => $v) {
|
||||||
if($k==="keepsession")
|
if($k==="keepsession")
|
||||||
|
{
|
||||||
$keepsession=($v==="1"?true:false);
|
$keepsession=($v==="1"?true:false);
|
||||||
|
return $keepsession;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach($info['post_data'] as $k => $v) {
|
||||||
|
if($k==="keepsession")
|
||||||
|
{
|
||||||
|
$keepsession=($v==="1"?true:false);
|
||||||
|
return $keepsession;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach($info['cookie_data'] as $k => $v) {
|
||||||
|
if($k==="keepsession")
|
||||||
|
{
|
||||||
|
$keepsession=($v==="1"?true:false);
|
||||||
|
return $keepsession;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return $keepsession;
|
return $keepsession;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,9 +1,102 @@
|
|||||||
<?php
|
<?php
|
||||||
define("IN_XSS_PLATFORM",true);
|
define("IN_XSS_PLATFORM",true);
|
||||||
|
|
||||||
|
ignore_user_abort();
|
||||||
|
//Windows平台最好别设成0,因为windows上lock没法实现非阻塞
|
||||||
|
set_time_limit(0);
|
||||||
|
|
||||||
require_once("config.php");
|
require_once("config.php");
|
||||||
require_once("functions.php");
|
require_once("functions.php");
|
||||||
require_once("dio.php");
|
require_once("dio.php");
|
||||||
//to do
|
|
||||||
|
if(KEEP_SESSION)
|
||||||
|
{
|
||||||
|
//利用非阻塞的flock实现单例运行
|
||||||
|
$pid = fopen(DATA_PATH. '/check.pid', "w");
|
||||||
|
if(!$pid)
|
||||||
|
exit();
|
||||||
|
|
||||||
|
if(flock($pid, LOCK_EX|LOCK_NB))
|
||||||
|
{
|
||||||
|
$files = glob(DATA_PATH . '/*.php');
|
||||||
|
foreach ($files as $file) {
|
||||||
|
$filename=basename($file,".php");
|
||||||
|
$info=loadInfo($filename);
|
||||||
|
if($info['keepsession']===true)
|
||||||
|
{
|
||||||
|
$url=getLocation($info);
|
||||||
|
$cookie=getCookie($info);
|
||||||
|
|
||||||
|
$useragent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2535.0 Safari/537.36";
|
||||||
|
if(isset($info['headers_data']['User-Agent']))
|
||||||
|
$useragent=$info['headers_data']['User-Agent'];
|
||||||
|
|
||||||
|
if($url!="" && $cookie!="")
|
||||||
|
{
|
||||||
|
$ch = curl_init();
|
||||||
|
$header[]= 'User-Agent: '.$useragent;
|
||||||
|
$header[]= 'Cookie: '.$cookie;
|
||||||
|
curl_setopt($ch,CURLOPT_URL,$url);
|
||||||
|
curl_setopt($ch,CURLOPT_HTTPHEADER,$header);
|
||||||
|
curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
|
||||||
|
curl_setopt($ch, CURLOPT_TIMEOUT,10);
|
||||||
|
//https不校验证书,按需开启吧
|
||||||
|
//curl_setopt ( $curl_handle, CURLOPT_SSL_VERIFYHOST, 0 );
|
||||||
|
curl_exec($ch);
|
||||||
|
curl_close($ch);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
//可加上sleep来防止keepsession被ddos
|
||||||
|
//sleep(10);
|
||||||
|
flock($pid, LOCK_UN);
|
||||||
|
}
|
||||||
|
|
||||||
|
fclose($pid);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
function getCookie($info){
|
||||||
|
$cookie="";
|
||||||
|
|
||||||
|
if(isset($info['decoded_get_data']['cookie'])&&$info['decoded_get_data']['cookie']!="")
|
||||||
|
$cookie=$info['decoded_get_data']['cookie'];
|
||||||
|
else if(isset($info['get_data']['cookie'])&&$info['get_data']['cookie']!="")
|
||||||
|
$cookie=$info['get_data']['cookie'];
|
||||||
|
else if(isset($info['decoded_post_data']['cookie'])&&$info['decoded_post_data']['cookie']!="")
|
||||||
|
$cookie=$info['decoded_post_data']['cookie'];
|
||||||
|
else if(isset($info['post_data']['cookie'])&&$info['post_data']['cookie']!="")
|
||||||
|
$cookie=$info['post_data']['cookie'];
|
||||||
|
else if(isset($info['decoded_cookie_data']['cookie'])&&$info['decoded_cookie_data']['cookie']!="")
|
||||||
|
$cookie=$info['decoded_cookie_data']['cookie'];
|
||||||
|
else if(isset($info['cookie_data']['cookie'])&&$info['cookie_data']['cookie']!="")
|
||||||
|
$cookie=$info['cookie_data']['cookie'];
|
||||||
|
|
||||||
|
return htmlspecialchars_decode(stripslashes($cookie),ENT_QUOTES);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
function getLocation($info){
|
||||||
|
$location="";
|
||||||
|
|
||||||
|
if(isset($info['decoded_get_data']['location'])&&$info['decoded_get_data']['location']!="")
|
||||||
|
$location=$info['decoded_get_data']['location'];
|
||||||
|
else if(isset($info['get_data']['location'])&&$info['get_data']['location']!="")
|
||||||
|
$location=$info['get_data']['location'];
|
||||||
|
else if(isset($info['decoded_post_data']['location'])&&$info['decoded_post_data']['location']!="")
|
||||||
|
$location=$info['decoded_post_data']['location'];
|
||||||
|
else if(isset($info['post_data']['location'])&&$info['post_data']['location']!="")
|
||||||
|
$location=$info['post_data']['location'];
|
||||||
|
else if(isset($info['decoded_cookie_data']['location'])&&$info['decoded_cookie_data']['location']!="")
|
||||||
|
$location=$info['decoded_cookie_data']['location'];
|
||||||
|
else if(isset($info['cookie_data']['location'])&&$info['cookie_data']['location']!="")
|
||||||
|
$location=$info['cookie_data']['location'];
|
||||||
|
else if(isset($info['headers_data']['Referer'])&&$info['headers_data']['Referer']!="")
|
||||||
|
$location=$info['headers_data']['Referer'];
|
||||||
|
|
||||||
|
return htmlspecialchars_decode(stripslashes($location),ENT_QUOTES);
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
@@ -23,7 +23,7 @@ $forbiddenIPList=loadForbiddenIPList();
|
|||||||
$ip=$_SERVER['REMOTE_ADDR'];
|
$ip=$_SERVER['REMOTE_ADDR'];
|
||||||
if(!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip]<3)
|
if(!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip]<3)
|
||||||
{
|
{
|
||||||
if(isset($_POST['password']) && $_POST['password']!='' )
|
if(isset($_POST['password']) && $_POST['password']!="")
|
||||||
{
|
{
|
||||||
if(checkPassword($_POST['password']))
|
if(checkPassword($_POST['password']))
|
||||||
{
|
{
|
||||||
@@ -85,7 +85,7 @@ php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='bluelotus';$key=md5($salt
|
|||||||
*/
|
*/
|
||||||
function checkPassword($p)
|
function checkPassword($p)
|
||||||
{
|
{
|
||||||
if(isset($_SESSION['firesunCheck'])&&isset($_POST['firesunCheck'])&&$_SESSION['firesunCheck']!=""&&$_POST['firesunCheck']===$_SESSION['firesunCheck'])
|
if(isset($_POST['firesunCheck']) && isset($_SESSION['firesunCheck']) && $_SESSION['firesunCheck']!="" && $_POST['firesunCheck']===$_SESSION['firesunCheck'])
|
||||||
{
|
{
|
||||||
//改了这个盐记得改login.js里的,两个要一致
|
//改了这个盐记得改login.js里的,两个要一致
|
||||||
$salt="!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";
|
$salt="!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";
|
||||||
|
|||||||
@@ -9,7 +9,6 @@ function readNotification(){
|
|||||||
$(this).parent().fadeOut(200);
|
$(this).parent().fadeOut(200);
|
||||||
//reload data
|
//reload data
|
||||||
$('#panelGrid').jqxGrid('updatebounddata');
|
$('#panelGrid').jqxGrid('updatebounddata');
|
||||||
//$("#panelGrid").jqxGrid({ source: getAdapter() });
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -23,7 +22,7 @@ function showNotification(newUnreadNum,lastedID,interval){
|
|||||||
{
|
{
|
||||||
|
|
||||||
if(document.title)
|
if(document.title)
|
||||||
document.title='【收到'+unreadNum+"份消息】"+document.title;
|
document.title='【收到'+unreadNum+"封消息】"+oldTitle;
|
||||||
|
|
||||||
var notificationHTML='<div id="webpushtipcontainer" class="webpushtipoutter" ><div class="webpushtipinner"><div id="webpushtip1" style="visibility: visible; bottom: 0px;" class="newmailNotifyItem notify_mail"><div class="newmailNotify" id="newNotification"><a nocheck="true" id="webpushtip1close" class="notify_close"title="关闭"></a><div class="notify_type"><span></span><label><em id="unreadNum">1</em></label></div><div class="notify_content"><p class="notify_location">未知</p><p class="notify_title">0.0.0.0</p><p class="notify_digest">GET:0个 POST:0个 Cookie:0个</p></div></div></div></div></div>';
|
var notificationHTML='<div id="webpushtipcontainer" class="webpushtipoutter" ><div class="webpushtipinner"><div id="webpushtip1" style="visibility: visible; bottom: 0px;" class="newmailNotifyItem notify_mail"><div class="newmailNotify" id="newNotification"><a nocheck="true" id="webpushtip1close" class="notify_close"title="关闭"></a><div class="notify_type"><span></span><label><em id="unreadNum">1</em></label></div><div class="notify_content"><p class="notify_location">未知</p><p class="notify_title">0.0.0.0</p><p class="notify_digest">GET:0个 POST:0个 Cookie:0个</p></div></div></div></div></div>';
|
||||||
$("#webpushtipcontainer").remove();
|
$("#webpushtipcontainer").remove();
|
||||||
|
|||||||
Reference in New Issue
Block a user