firesunCN/BlueLotus_XSSReceiver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e4fa310d38a5b65602efd55e09cbe2e19ab627c3
BlueLotus_XSSReceiver/login.php
Firesun e4fa310d38 Version 3.5.1 
1. 升级PHPMailer至5.2.22
2. 安装后删除无用文件
3. 开启X-Frame-Options,X-Content-Type-Options
4. 修复一系列bug

Todo
修复jqxgrid的一些问题
2017-02-18 17:07:32 +08:00

123 lines
3.9 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
define("IN_XSS_PLATFORM", true);
require_once("functions.php");
require_once("dio.php");
//CSP开启
require_once("waf.php");
//设置httponly
ini_set("session.cookie_httponly", 1);
session_start();
//判断是否登陆
if (isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true) {
header("Location: admin.php");
exit();
}
//判断ip是否在封禁列表中
$forbiddenIPList = loadForbiddenIPList();
$ip = getRealIP();
$is_pass_wrong = false;
if (!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip] <= 5) {
if (isset($_POST['password']) && $_POST['password'] != "") {
if (checkPassword($_POST['password'])) {
$_SESSION['isLogin'] = true;
$_SESSION['user_IP'] = $ip;
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
if (isset($forbiddenIPList[$ip])) {
unset($forbiddenIPList[$ip]);
saveForbiddenIPList($forbiddenIPList);
}
header("Location: admin.php");
exit();
} else {
if (isset($forbiddenIPList[$ip]))
$forbiddenIPList[$ip]++;
else
$forbiddenIPList[$ip] = 1;
saveForbiddenIPList($forbiddenIPList);
$is_pass_wrong = true;
}
}
} else
$is_pass_wrong = true;
/*
生成密码
php -r '$salt="!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";$key="你的密码";$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;'
*/
function checkPassword($p) {
if (isset($_POST['firesunCheck']) && isset($_SESSION['firesunCheck']) && $_SESSION['firesunCheck'] != "" && $_POST['firesunCheck'] === $_SESSION['firesunCheck']) {
//改了这个盐记得改login.js里的两个要一致
$salt = "!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";
$key = PASS;
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
$key = md5($salt . $key . $_SESSION['firesunCheck'] . $salt);
return $key === $p;
}
return false;
}
//生成挑战应答的随机值
function generate_password($length = 32) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$password = "";
for ($i = 0; $i < $length; $i++)
$password .= $chars[mt_rand(0, strlen($chars) - 1)];
return $password;
}
?>
<html>
<head>
<meta charset="utf-8" />
<title>登录</title>
<link rel="stylesheet" href='static/css/font-awesome.min.css' type="text/css" >
<link rel="stylesheet" href="static/css/login.min.css" type="text/css" />
<script type="text/javascript" src="static/js/jquery.min.js" ></script>
<script type="text/javascript" src="static/js/login.min.js" ></script>
<?php
if ($is_pass_wrong)
echo '<script type="text/javascript" src="static/js/pass_is_wrong.js" ></script>';
?>
</head>
<body>
<div id="loginform">
<div id="logo"></div>
<div id="mainlogin">
<h1>
登录控制面板
</h1>
<form action="" method="post">
<input type="password" placeholder="password" id="password" name="password" required="required">
<input id="firesunCheck" type="hidden" name="firesunCheck" value=<?php
$firesunCheck = generate_password(32);
$_SESSION['firesunCheck'] = $firesunCheck;
echo json_encode($_SESSION['firesunCheck']);
?> />
<button type="submit" id="submit" disabled="disabled">
<i class="fa fa-arrow-right">
</i>
</button>
</form>
<div id="note">
<a href="#">
忘记密码?
</a>
</div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink