firesunCN/BlueLotus_XSSReceiver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f507e8ea1c1bb2476ffeadc47872bd0695f94bb
BlueLotus_XSSReceiver/login.php
firesun 8f507e8ea1 Version 3.3.5 
除了install与change_encrypt_pass操作以外,所有io操作移至dio.php
2016-01-30 16:36:36 +08:00

124 lines
4.1 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
define("IN_XSS_PLATFORM", true);
require_once("load.php");
require_once("functions.php");
require_once("dio.php");
//CSP开启
header("Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
header("X-WebKit-CSP: default-src 'self'; object-src 'none'; frame-src 'none'");
//设置httponly
ini_set("session.cookie_httponly", 1);
session_start();
//判断是否登陆
if (isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true) {
header("Location: admin.php");
exit();
}
//判断ip是否在封禁列表中
$forbiddenIPList = loadForbiddenIPList();
$ip = $_SERVER['REMOTE_ADDR'];
$is_pass_wrong = false;
if (!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip] <= 5) {
if (isset($_POST['password']) && $_POST['password'] != "") {
if (checkPassword($_POST['password'])) {
$_SESSION['isLogin'] = true;
$_SESSION['user_IP'] = $ip;
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
if (isset($forbiddenIPList[$ip])) {
unset($forbiddenIPList[$ip]);
saveForbiddenIPList($forbiddenIPList);
}
header("Location: admin.php");
exit();
} else {
if (isset($forbiddenIPList[$ip]))
$forbiddenIPList[$ip]++;
else
$forbiddenIPList[$ip] = 1;
saveForbiddenIPList($forbiddenIPList);
$is_pass_wrong = true;
}
}
} else
$is_pass_wrong = true;
/*
生成密码
php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='bluelotus';$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;"
*/
function checkPassword($p) {
if (isset($_POST['firesunCheck']) && isset($_SESSION['firesunCheck']) && $_SESSION['firesunCheck'] != "" && $_POST['firesunCheck'] === $_SESSION['firesunCheck']) {
//改了这个盐记得改login.js里的两个要一致
$salt = "!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";
$key = PASS;
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
return $key === $p;
}
return false;
}
//生成挑战应答的随机值
function generate_password($length = 32) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$password = "";
for ($i = 0; $i < $length; $i++)
$password .= $chars[mt_rand(0, strlen($chars) - 1)];
return $password;
}
?>
<html>
<head>
<meta charset="utf-8" />
<title>登录</title>
<link rel="stylesheet" href='static/css/font-awesome.min.css' type="text/css" >
<link rel="stylesheet" href="static/css/login.min.css" type="text/css" />
<script type="text/javascript" src="static/js/jquery.min.js" ></script>
<script type="text/javascript" src="static/js/login.min.js" ></script>
<?php
if ($is_pass_wrong)
echo '<script type="text/javascript" src="static/js/pass_is_wrong.js" ></script>';
?>
</head>
<body>
<div id="loginform">
<div id="logo"></div>
<div id="mainlogin">
<h1>
登录控制面板
</h1>
<form action="" method="post">
<input type="password" placeholder="password" id="password" name="password" required="required">
<input id="firesunCheck" type="hidden" name="firesunCheck" value=<?php
$firesunCheck = generate_password(32);
$_SESSION['firesunCheck'] = $firesunCheck;
echo json_encode($_SESSION['firesunCheck']);
?> />
<button type="submit" id="submit" disabled="disabled">
<i class="fa fa-arrow-right">
</i>
</button>
</form>
<div id="note">
<a href="#">
忘记密码?
</a>
</div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink