firesunCN/BlueLotus_XSSReceiver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
99da46918aea4ff25cb71d7b9f9d5085a407e56e
BlueLotus_XSSReceiver/login.php
firesun 99da46918a Version 3.3.3 
压缩与合并js与css文件,js与src原文件移至src目录下
2016-01-30 00:03:47 +08:00

151 lines
4.8 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
define("IN_XSS_PLATFORM", true);
require_once("load.php");
require_once("functions.php");
//CSP开启
header("Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
header("X-WebKit-CSP: default-src 'self'; object-src 'none'; frame-src 'none'");
//设置httponly
ini_set("session.cookie_httponly", 1);
session_start();
//判断是否登陆
if (isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true) {
header("Location: admin.php");
exit();
}
//判断ip是否在封禁列表中
$forbiddenIPList = loadForbiddenIPList();
$ip = $_SERVER['REMOTE_ADDR'];
$is_pass_wrong = false;
if (!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip] <= 5) {
if (isset($_POST['password']) && $_POST['password'] != "") {
if (checkPassword($_POST['password'])) {
$_SESSION['isLogin'] = true;
$_SESSION['user_IP'] = $ip;
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
if (isset($forbiddenIPList[$ip])) {
unset($forbiddenIPList[$ip]);
saveForbiddenIPList($forbiddenIPList);
}
header("Location: admin.php");
exit();
} else {
if (isset($forbiddenIPList[$ip]))
$forbiddenIPList[$ip]++;
else
$forbiddenIPList[$ip] = 1;
saveForbiddenIPList($forbiddenIPList);
$is_pass_wrong = true;
}
}
} else
$is_pass_wrong = true;
function loadForbiddenIPList() {
$logfile = DATA_PATH . '/forbiddenIPList.dat';
!file_exists($logfile) && @touch($logfile);
$str = @file_get_contents($logfile);
if ($str === false)
return array();
$str = decrypt($str);
if ($str != '') {
$result = json_decode($str, true);
if ($result != null)
return $result;
else
return array();
} else
return array();
}
function saveForbiddenIPList($forbiddenIPList) {
$logfile = DATA_PATH . '/forbiddenIPList.dat';
!file_exists($logfile) && @touch($logfile);
$str = json_encode($forbiddenIPList);
$str = encrypt($str);
@file_put_contents($logfile, $str);
}
/*
生成密码
php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='bluelotus';$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;"
*/
function checkPassword($p) {
if (isset($_POST['firesunCheck']) && isset($_SESSION['firesunCheck']) && $_SESSION['firesunCheck'] != "" && $_POST['firesunCheck'] === $_SESSION['firesunCheck']) {
//改了这个盐记得改login.js里的两个要一致
$salt = "!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";
$key = PASS;
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
return $key === $p;
}
return false;
}
//生成挑战应答的随机值
function generate_password($length = 32) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$password = "";
for ($i = 0; $i < $length; $i++)
$password .= $chars[mt_rand(0, strlen($chars) - 1)];
return $password;
}
?>
<html>
<head>
<meta charset="utf-8" />
<title>登录</title>
<link rel="stylesheet" href='static/css/font-awesome.min.css' type="text/css" >
<link rel="stylesheet" href="static/css/login.min.css" type="text/css" />
<script type="text/javascript" src="static/js/jquery.min.js" ></script>
<script type="text/javascript" src="static/js/login.min.js" ></script>
<?php
if ($is_pass_wrong)
echo '<script type="text/javascript" src="static/js/pass_is_wrong.js" ></script>';
?>
</head>
<body>
<div id="loginform">
<div id="logo"></div>
<div id="mainlogin">
<h1>
登录控制面板
</h1>
<form action="" method="post">
<input type="password" placeholder="password" id="password" name="password" required="required">
<input id="firesunCheck" type="hidden" name="firesunCheck" value=<?php
$firesunCheck = generate_password(32);
$_SESSION['firesunCheck'] = $firesunCheck;
echo json_encode($_SESSION['firesunCheck']);
?> />
<button type="submit" id="submit" disabled="disabled">
<i class="fa fa-arrow-right">
</i>
</button>
</form>
<div id="note">
<a href="#">
忘记密码?
</a>
</div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink