149 lines
4.2 KiB
PHP
149 lines
4.2 KiB
PHP
<?php
|
||
define("IN_XSS_PLATFORM",true);
|
||
//CSP开启
|
||
header("Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
|
||
header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
|
||
header("X-WebKit-CSP: default-src 'self'; object-src 'none'; frame-src 'none'");
|
||
|
||
//设置httponly
|
||
ini_set("session.cookie_httponly", 1);
|
||
session_start();
|
||
require_once("config.php");
|
||
require_once("functions.php");
|
||
|
||
//判断是否登陆
|
||
if(isset($_SESSION['isLogin']) && $_SESSION['isLogin']===true)
|
||
{
|
||
header("Location: admin.php");
|
||
exit();
|
||
}
|
||
|
||
//判断ip是否在封禁列表中
|
||
$forbiddenIPList=loadForbiddenIPList();
|
||
$ip=$_SERVER['REMOTE_ADDR'];
|
||
if(!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip]<3)
|
||
{
|
||
if(isset($_POST['password']) && $_POST['password']!='' )
|
||
{
|
||
if(checkPassword($_POST['password']))
|
||
{
|
||
$_SESSION['isLogin']=true;
|
||
$_SESSION['user_IP']=$ip;
|
||
$_SESSION['user_agent']=$_SERVER['HTTP_USER_AGENT'];
|
||
if(isset($forbiddenIPList[$ip]))
|
||
{
|
||
unset($forbiddenIPList[$ip]);
|
||
saveForbiddenIPList($forbiddenIPList);
|
||
}
|
||
header("Location: admin.php");
|
||
exit();
|
||
}
|
||
else
|
||
{
|
||
if(isset($forbiddenIPList[$ip]))
|
||
$forbiddenIPList[$ip]++;
|
||
else
|
||
$forbiddenIPList[$ip]=1;
|
||
saveForbiddenIPList($forbiddenIPList);
|
||
}
|
||
}
|
||
|
||
}
|
||
|
||
function loadForbiddenIPList()
|
||
{
|
||
$logfile = DATA_PATH . '/forbiddenIPList.dat';
|
||
!file_exists( $logfile ) && @touch( $logfile );
|
||
$str = file_get_contents( $logfile );
|
||
if(ENABLE_ENCRYPT)
|
||
$str =decrypt($str,ENCRYPT_PASS);
|
||
if($str!='')
|
||
{
|
||
$result=json_decode($str,true);
|
||
if($result!=null)
|
||
return $result;
|
||
else
|
||
return array();
|
||
}
|
||
else
|
||
return array();
|
||
}
|
||
|
||
function saveForbiddenIPList($forbiddenIPList)
|
||
{
|
||
$logfile = DATA_PATH . '/forbiddenIPList.dat';
|
||
!file_exists( $logfile ) && @touch( $logfile );
|
||
$str=json_encode($forbiddenIPList);
|
||
if(ENABLE_ENCRYPT)
|
||
$str = encrypt($str,ENCRYPT_PASS);
|
||
@file_put_contents($logfile, $str);
|
||
}
|
||
|
||
/*
|
||
生成密码
|
||
php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='bluelotus';$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;"
|
||
*/
|
||
function checkPassword($p)
|
||
{
|
||
if(isset($_SESSION['firesunCheck'])&&isset($_POST['firesunCheck'])&&$_SESSION['firesunCheck']!=""&&$_POST['firesunCheck']===$_SESSION['firesunCheck'])
|
||
{
|
||
//改了这个盐记得改login.js里的,两个要一致
|
||
$salt="!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";
|
||
$key=PASS;
|
||
$key=md5($salt.$key.$_SESSION['firesunCheck'].$salt);
|
||
$key=md5($salt.$key.$_SESSION['firesunCheck'].$salt);
|
||
$key=md5($salt.$key.$_SESSION['firesunCheck'].$salt);
|
||
return $key===$p;
|
||
|
||
}
|
||
return false;
|
||
}
|
||
|
||
//生成挑战应答的随机值
|
||
function generate_password( $length = 32 ) {
|
||
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
||
$password = "";
|
||
for ( $i = 0; $i < $length; $i++ )
|
||
$password .= $chars[ mt_rand(0, strlen($chars) - 1) ];
|
||
return $password;
|
||
}
|
||
|
||
|
||
?>
|
||
|
||
<html>
|
||
<head>
|
||
<meta charset="utf-8" />
|
||
<title>登录</title>
|
||
<link rel="stylesheet" href='static/css/font-awesome.css' type="text/css" >
|
||
<link rel="stylesheet" href="static/css/login.css" type="text/css" />
|
||
|
||
<script type="text/javascript" src="static/js/jquery.min.js" ></script>
|
||
<script type="text/javascript" src="static/js/login.js" ></script>
|
||
</head>
|
||
|
||
<body>
|
||
<div id="loginform">
|
||
<div id="logo"></div>
|
||
<div id="mainlogin">
|
||
<h1>
|
||
登录控制面板
|
||
</h1>
|
||
<form action="" method="post">
|
||
<input type="password" placeholder="password" id="password" name="password" required="required">
|
||
<input id="firesunCheck" type="hidden" name="firesunCheck" value=<?php $firesunCheck=generate_password(32); $_SESSION['firesunCheck']=$firesunCheck;echo json_encode($_SESSION['firesunCheck']);?> />
|
||
<button type="submit" id="submit">
|
||
<i class="fa fa-arrow-right">
|
||
</i>
|
||
</button>
|
||
</form>
|
||
<div id="note">
|
||
<a href="#">
|
||
忘记密码?
|
||
</a>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</body>
|
||
|
||
</html>
|