Version 2.2

增加登录界面与登录校验
o130bbd7 · Oct 28, 2015 · 795980c · 795980c
1 parent d811fbb
commit 795980c
Show file tree

Hide file tree

Showing 15 changed files with 2,729 additions and 842 deletions.
diff --git a/README.md b/README.md
@@ -1,27 +1,30 @@
 # XSS数据接收平台（无SQL版）
 ## 使用说明
-无需数据库，无需其他组件支持，可直接在php虚拟空间使用，使用步骤：
+本平台设计理念，基本无需配置即可使用，故设计为无需数据库，无需其他组件支持，可直接在php虚拟空间使用，使用步骤：
 
 * 上传所有文件至空间根目录
 * 修改config.php，指定数据存放目录，数据是否启用AES加密及加密密码
 ```php
+define('PASS', '2a05218c7aa0a6dbd370985d984627b8');
 define('DATA_PATH', 'data');
 define('ENABLE_ENCRYPT', true);
 define('ENCRYPT_PASS', "bluelotus");
 ```
+可用php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='你的密码';$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;"生成密码hash
 * 赋予`DATA_PATH`目录写权限
 * 当有请求访问/index.php?a=xxx&b=xxxx，所有携带数据包括get，post，cookie，httpheaders，客户端信息都会记录
-* 可访问admin.php查看记录的数据
+* 可访问login.php登录查看记录的数据
 
 ## 目前支持功能
 * 自动判断携带数据是否base64编码，可自动解码
 * 记录所有可记录的数据，并可根据ip判断位置，根据useragent判断操作系统与浏览器
 * 新消息提醒，仿QQ邮箱新消息提醒框，可实时获得数据
 * 支持简单的查找功能
+* 除了style允许unsafe-inline外启用CSP
+* 挑战应答式的登录校验，session绑定ip与useragent
 
 ## TODO
 * keepsession
-* 认证
 * 完全启用CSP
 * 我的js
 * js模板

diff --git a/admin.php b/admin.php
@@ -8,6 +8,7 @@
 <head>
 <meta charset="utf-8" />
 
+	<title>控制面板</title>
 	<link rel="stylesheet" href="static/css/bootstrap.min.css" type="text/css" />
     <link rel="stylesheet" href="static/css/Site.css" type="text/css" />
 	<link rel="stylesheet" href="static/css/notification.css" type="text/css" />

diff --git a/auth.php b/auth.php
@@ -2,9 +2,23 @@
 if(!defined('IN_XSS_PLATFORM')) {
 	exit('Access Denied');
 }
-header("Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none' ");
-header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none' ");
-header("X-WebKit-CSP: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none' ");
+ini_set("session.cookie_httponly", 1); 
+session_start();
+
+if(!(isset($_SESSION['isLogin']) && $_SESSION['isLogin']===true && isset($_SESSION['user_IP']) &&$_SESSION['user_IP']!="" &&$_SESSION['user_IP']=== $_SERVER['REMOTE_ADDR'] &&isset($_SESSION['user_agent']) &&$_SESSION['user_agent']!="" &&$_SESSION['user_agent']=== $_SERVER['HTTP_USER_AGENT'] ))
+{
+	$_SESSION['isLogin']=false;
+	$_SESSION['user_IP']="";
+	$_SESSION['user_agent']="";
+	session_unset();
+	session_destroy();
+	header("Location: login.php");
+	exit();
+}
+
+header("Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'");
+header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'");
+header("X-WebKit-CSP: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'");
 
 
 ?>
diff --git a/config.php b/config.php
@@ -3,7 +3,7 @@
 	exit('Access Denied');
 }
 
-define('PASS', 'bluelotus');
+define('PASS', '2a05218c7aa0a6dbd370985d984627b8');//bluelotus
 define('DATA_PATH', 'data');
 define('ENABLE_ENCRYPT', true);
 define('ENCRYPT_PASS', "bluelotus");

diff --git a/data/forbiddenIPList.dat b/data/forbiddenIPList.dat
diff --git a/keepsession.php b/keepsession.php
@@ -1,9 +1,6 @@
 <?php
 define("IN_XSS_PLATFORM",true);
 
-if(!defined('IN_XSS_PLATFORM')) {
-	exit('Access Denied');
-}
 require_once("config.php");
 require_once("functions.php");
 require_once("dio.php");

diff --git a/login.php b/login.php
@@ -0,0 +1,141 @@
+<?php
+define("IN_XSS_PLATFORM",true);
+//CSP开启
+header("Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
+header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
+header("X-WebKit-CSP: default-src 'self'; object-src 'none'; frame-src 'none'");
+
+ini_set("session.cookie_httponly", 1); 
+session_start();
+require_once("config.php");
+require_once("functions.php");
+
+
+if(isset($_SESSION['isLogin']) && $_SESSION['isLogin']===true)
+{
+	header("Location: admin.php");
+	exit();
+}
+
+$forbiddenIPList=loadForbiddenIPList();
+$ip=$_SERVER['REMOTE_ADDR'];
+if(!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip]<3)
+{
+	if(isset($_POST['password']) && $_POST['password']!='' )
+	{
+		if(checkPassword($_POST['password']))
+		{
+			$_SESSION['isLogin']=true;
+			$_SESSION['user_IP']=$ip;
+			$_SESSION['user_agent']=$_SERVER['HTTP_USER_AGENT'];
+			if(isset($forbiddenIPList[$ip]))
+			{
+				unset($forbiddenIPList[$ip]);
+				saveForbiddenIPList($forbiddenIPList);
+			}
+			header("Location: admin.php");
+			exit();
+		}
+		else
+		{
+			if(isset($forbiddenIPList[$ip]))
+				$forbiddenIPList[$ip]++;
+			else
+				$forbiddenIPList[$ip]=1;
+			saveForbiddenIPList($forbiddenIPList);
+		}
+	}
+
+}
+
+function loadForbiddenIPList()
+{
+	$logfile = DATA_PATH . '/forbiddenIPList.dat';
+	!file_exists( $logfile ) && @touch( $logfile );
+	$str = file_get_contents( $logfile );
+	$str =decrypt($str,ENCRYPT_PASS);
+	if($str!='')
+	{
+		$result=json_decode($str,true);
+		if($result!=null)
+			return $result;
+		else
+			return array();
+	}
+	else
+		return array();
+}
+
+function saveForbiddenIPList($forbiddenIPList)
+{
+	$logfile = DATA_PATH . '/forbiddenIPList.dat';
+	!file_exists( $logfile ) && @touch( $logfile );
+	@file_put_contents($logfile, encrypt(json_encode($forbiddenIPList),ENCRYPT_PASS));
+}
+
+/*
+生成密码
+php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='bluelotus';$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;"
+*/
+function checkPassword($p)
+{
+	if(isset($_SESSION['firesunCheck'])&&isset($_POST['firesunCheck'])&&$_SESSION['firesunCheck']!=""&&$_POST['firesunCheck']===$_SESSION['firesunCheck'])
+	{
+		$salt="!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";
+		$key=PASS;
+		$key=md5($salt.$key.$_SESSION['firesunCheck'].$salt);
+		$key=md5($salt.$key.$_SESSION['firesunCheck'].$salt);
+		$key=md5($salt.$key.$_SESSION['firesunCheck'].$salt);
+		return $key===$p;
+
+	}	
+	return false;
+}
+
+function generate_password( $length = 32 ) {
+	$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";  
+	$password = "";  
+	for ( $i = 0; $i < $length; $i++ )
+		$password .= $chars[ mt_rand(0, strlen($chars) - 1) ];
+	return $password;  
+} 
+
+
+?>
+
+<html>
+    <head>
+        <meta charset="utf-8" />
+		<title>登录</title>
+		<link rel="stylesheet" href='static/css/font-awesome.css' type="text/css" >
+		<link rel="stylesheet" href="static/css/login.css" type="text/css" />
+
+        <script type="text/javascript" src="static/js/jquery.min.js" ></script>
+        <script type="text/javascript" src="static/js/login.js" ></script>
+    </head>
+
+    <body>
+        <div id="loginform">
+			<div id="logo"></div>
+            <div id="mainlogin">
+                <h1>
+                    登录控制面板
+                </h1>
+                <form action="" method="post">
+                    <input type="password" placeholder="password" id="password" name="password" required="required">
+					<input id="firesunCheck" type="hidden" name="firesunCheck" value=<?php $firesunCheck=generate_password(32); $_SESSION['firesunCheck']=$firesunCheck;echo json_encode($_SESSION['firesunCheck']);?> />
+                    <button type="submit" id="submit">
+                        <i class="fa fa-arrow-right">
+                        </i>
+                    </button>
+                </form>
+                <div id="note">
+                    <a href="#">
+                        忘记密码?
+                    </a>
+                </div>
+            </div>
+        </div>
+    </body>
+
+</html>