function matchCIDR2($addr, $cidr) {
// $addr should be an ip address in the format '0.0.0.0'
// $cidr should be a string in the format '100/8'
// or an array where each element is in the above format
$output = false;
if ( is_array($cidr) ) {
foreach ( $cidr as $cidrlet ) {
if ( matchCIDR( $addr, $cidrlet) ) {
$output = true;
}
}
} else {
list($ip, $mask) = explode('/', $cidr);
$mask = 0xffffffff << (32 - $mask);
$output = ((ip2long($addr) & $mask) == (ip2long($ip) & $mask));
}
return $output;
}
function getREMOTE_ADDR()
{
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$tmp = preg_split('/[ ,]+/', $_SERVER['HTTP_X_FORWARDED_FOR']);
return !strncmp($tmp[0], '10.', 3) || !strncmp($tmp[0], '192.168.', 8) || matchCIDR($tmp[0], '172.16.0.0/12') ? $_SERVER['REMOTE_ADDR'] : $tmp[0];
}
return $_SERVER['REMOTE_ADDR'];
}
/**
* 若來源是 CloudFlare IP, 從 CF-Connecting-IP 取得 client IP
* CloudFlare IP 來源: https://www.cloudflare.com/ips
*/
function getRemoteAddrCloudFlare()
{
$addr = $_SERVER['REMOTE_ADDR'];
$cloudflare_v4 = array('199.27.128.0/21', '173.245.48.0/20', '103.21.244.0/22', '103.22.200.0/22', '103.31.4.0/22', '141.101.64.0/18', '108.162.192.0/18', '190.93.240.0/20', '188.114.96.0/20', '197.234.240.0/22', '198.41.128.0/17', '162.158.0.0/15', '104.16.0.0/12');
$cloudflare_v6 = array('2400:cb00::/32', '2606:4700::/32', '2803:f800::/32', '2405:b500::/32', '2405:8100::/32');
if (filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
//v4 address
foreach ($cloudflare_v4 as &$cidr) {
if (matchCIDR($addr, $cidr)) {
return $_SERVER['HTTP_CF_CONNECTING_IP'];
}
}
} else {
// v6 address
foreach ($cloudflare_v6 as &$cidr) {
if (matchCIDRv6($addr, $cidr)) {
return $_SERVER['HTTP_CF_CONNECTING_IP'];
}
}
}
return '';
}
function autoHookRegistBegin(&$name, &$email, &$sub, &$com, $upfileInfo, $accessInfo, $isReply)
{
global $BANPATTERN, $BAD_FILEMD5, $postInfo;
$setfail = true;
$postInfo = array($isReply, str_replace("\r\n", '<br>', $com), $sub, $name, $email, $upfileInfo['name'], isset($_POST['loid']) ? $_POST['loid'] : '', $_SERVER['HTTP_USER_AGENT']);
// extract fail cookie
if (isset($_COOKIE[$this->cookiename])) {
$this->failcookie = explode(':', $this->_mybase64_decode($_COOKIE[$this->cookiename]));
}
if ($this->postlogfile) {
$plname = strstr($this->postlogfile, '%s') ? sprintf($this->postlogfile, date('Ymd')) : $this->postlogfile;
$pfp = fopen($plname, 'ab');
$outstr = '/ip=' . $accessInfo['ip'] . "\ttime=" . date('Ymd-His');
$pInames = array('re', 'com', 'sub', 'name', 'email', 'upfile', 'loid', 'ua');
$pIcnt = count($postInfo);
for ($i = 0; $i < $pIcnt; $i++) {
$outstr .= "\t" . (isset($pInames[$i]) ? $pInames[$i] . '=' : '') . $postInfo[$i];
}
if (isset($_COOKIE[$this->cookiename])) {
$outstr .= "\tfc=" . implode(':', $this->failcookie);
}
fwrite($pfp, $outstr . "\t/end\n");
fclose($pfp);
}
// 載入封鎖黑名單定義檔
if (is_file($this->ipfile)) {
$BANPATTERN = array_merge($BANPATTERN, array_map('rtrim', $this->_parseBlackListFile($this->ipfile, true)));
}
if (is_file($this->imgfile)) {
$BAD_FILEMD5 = array_merge($BAD_FILEMD5, array_map('rtrim', $this->_parseBlackListFile($this->imgfile, true)));
}
// IP/Hostname Check
$accessInfo['host'] = strtolower($accessInfo['host']);
$checkTwice = $accessInfo['ip'] != $accessInfo['host'];
// 是否需檢查第二次
$IsBanned = false;
if (!isset($_POST['js']) || $_POST['js'] !== 'js') {
error('Please enable Javascript');
}
// Quick hack 3
/*if(strpos($_SERVER['HTTP_USER_AGENT'],'NT 6.1; rv:12.0')!==false) {
$this->_nglog_append($accessInfo['ip'],'badip','High possibility of Seiyuu Chuu detected'.'#postinf='.implode('|',$postInfo));
$IsBanned = true;
$setfail = false;
}*/
// Quick hack 3 end
// Quick hack
if (!$IsBanned && (strpos($_SERVER['HTTP_USER_AGENT'], 'VPNGate') !== false || strpos($_SERVER['HTTP_USER_AGENT'], 'FreeSafeIP.com') !== false)) {
$this->_nglog_append($accessInfo['ip'], 'badip', 'VPNGate detected' . '#postinf=' . implode('|', $postInfo));
$IsBanned = true;
$setfail = false;
}
// Quick hack end
// Quick hack 2
if (!$IsBanned) {
$lsval = '';
$lastslash = strrpos($_SERVER['HTTP_USER_AGENT'], '/');
if ($lastslash !== false) {
$lsval = substr($_SERVER['HTTP_USER_AGENT'], $lastslash + 1);
}
$lastspace = strrpos($lsval, ' ');
if ($lastspace !== false) {
$lsval = substr($lsval, $lastspace + 1);
}
$lastbmark = strrpos($lsval, ')');
if ($lastbmark !== false) {
$lsval = substr($lsval, 0, $lastbmark);
}
if (strlen($lsval) > 1 && preg_match('/^[0-9A-F]+$/i', $lsval)) {
$this->_nglog_append($accessInfo['ip'], 'badip', 'strange user agent detected' . '#postinf=' . implode('|', $postInfo));
$IsBanned = true;
$setfail = false;
}
}
// Quick hack 2 end
// UA checks
if (is_file($this->baduafile)) {
$baduas = array_map('rtrim', $this->_parseBlackListFile($this->baduafile, true));
}
if (@$baduas[0]) {
foreach ($baduas as $badua) {
if (preg_match('`' . $badua . '`', $_SERVER['HTTP_USER_AGENT'])) {
$this->_nglog_append($accessInfo['ip'], 'badip', 'Bad user agent#postinf=' . implode('|', $postInfo));
$IsBanned = true;
$setfail = false;
}
}
}
if (!$IsBanned) {
foreach ($BANPATTERN as $pattern) {
$slash = substr_count($pattern, '/');
if ($slash == 2) {
// RegExp
$pattern .= 'i';
} elseif ($slash == 1) {
// CIDR Notation
if (matchCIDR($accessInfo['ip'], $pattern)) {
$this->_nglog_append($accessInfo['ip'], 'badip', $pattern . '#postinf=' . implode('|', $postInfo));
$IsBanned = true;
break;
}
continue;
} elseif (strpos($pattern, '*') !== false || strpos($pattern, '?') !== false) {
// Wildcard
$pattern = '/^' . str_replace(array('.', '*', '?'), array('\\.', '.*', '.?'), $pattern) . '$/i';
} else {
// Full-text
if ($accessInfo['ip'] == $pattern || $checkTwice && $accessInfo['host'] == strtolower($pattern)) {
$this->_nglog_append($accessInfo['ip'], 'badip', $pattern . '#postinf=' . implode('|', $postInfo));
$IsBanned = true;
break;
}
continue;
}
if (preg_match($pattern, $accessInfo['host']) || $checkTwice && preg_match($pattern, $accessInfo['ip'])) {
$this->_nglog_append($accessInfo['ip'], 'badip', $pattern . '#postinf=' . implode('|', $postInfo));
$IsBanned = true;
break;
}
}
}
if (!$IsBanned) {
if ($this->_checkProxiesList($accessInfo['ip'])) {
$this->_nglog_append($accessInfo['ip'], 'badip', 'OpenProxy Listed' . '#postinf=' . implode('|', $postInfo));
$IsBanned = true;
}
}
if ($IsBanned) {
if ($setfail) {
$this->_setfailcookie();
}
error(_T('ip_banned'));
}
// process fail cookie
if (isset($_COOKIE[$this->cookiename])) {
/*if(RENZOKU && ($time - $this->failcookie[0] < RENZOKU*2)){
error(_T('regist_successivepost'));
}*/
if (isset($this->failcookie[1]) && $this->failcookie[1] > 5) {
$this->_nglog_append($accessInfo['ip'], 'ckban', implode(':', $this->failcookie) . '#postinf=' . implode('|', $postInfo));
$this->_arrangeRecord($this->ipfile, null, $accessInfo['ip'] . "\t" . 'cookie autoban ' . date('Ymd') . "\t" . time() . "\t" . $this->bandays . "\n");
// 同步進行刪除及更新
error(_T('ip_banned'));
}
}
if ($this->_nglog_process($accessInfo['ip'])) {
$this->_nglog_append($accessInfo['ip'], 'lgban', (isset($_COOKIE[$this->cookiename]) ? implode('.', $this->failcookie) : 'no-cookie') . '#postinf=' . implode('|', $postInfo));
$this->_arrangeRecord($this->ipfile, null, $accessInfo['ip'] . "\t" . 'nglog autoban ' . date('Ymd') . "\t" . time() . "\t" . $this->bandays . "\n");
// 同步進行刪除及更新
$this->_setfailcookie('ban');
error(_T('ip_banned'));
}
// Cleanup $BANPATTERN as it passed in upper test
$BANPATTERN = array();
if (is_file($this->badstrfile)) {
$badstrs = array_map('rtrim', $this->_parseBlackListFile($this->badstrfile, true));
}
if (@$badstrs[0]) {
foreach ($badstrs as $badstr) {
if (preg_match('`' . $badstr . '`', $name) || preg_match('`' . $badstr . '`', $email) || preg_match('`' . $badstr . '`', $sub) || preg_match('`' . $badstr . '`', str_replace("\r\n", '', $com))) {
$this->_nglog_append($accessInfo['ip'], 'ngstr', $badstr, implode('|', $postInfo));
$this->_setfailcookie();
error(_T('regist_wordfiltered'));
}
}
}
if ($this->use_imghash && file_exists($this->imghash_lib)) {
include $this->imghash_lib;
if (is_dir(realpath($this->imghash_imgdir))) {
$pfolder = opendir($this->imghash_imgdir);
//Folder
$pnamebase = array();
while ($file = readdir($pfolder)) {
if (is_file($this->imghash_imgdir . $file)) {
$pnamebase[] = $file;
}
}
closedir($pfolder);
for ($i = 0; $i < sizeof($pnamebase); $i++) {
if (trim($this->imghash_hashdir) && is_dir($this->imghash_hashdir) && file_exists($this->imghash_hashdir . $pnamebase[$i] . '.imghash')) {
list($pw, $ph, $apHash) = explode("\t", file_get_contents($this->imghash_hashdir . $pnamebase[$i] . '.imghash'));
$pbase_size = array($pw, $ph);
} else {
$pbase_size = getimagesize($this->imghash_imgdir . $pnamebase[$i]);
$apHash = ImageHash::hashImageFile($this->imghash_imgdir . $pnamebase[$i]);
if (trim($this->imghash_hashdir) && is_dir($this->imghash_hashdir)) {
file_put_contents($this->imghash_hashdir . $pnamebase[$i] . '.imghash', $pbase_size[0] . "\t" . $pbase_size[1] . "\t" . $apHash);
}
}
$dpHash = ImageHash::hashImageFileCropped($upfileInfo['file'], $pbase_size[0], $pbase_size[1]);
if (ImageHash::isHashSimilar($apHash, $dpHash) || ImageHash::isImageSimilarWithHash($dest, $apHash)) {
$this->_nglog_append($accessInfo['ip'], 'phash', $pnamebase[$i], '' . '#postinf=' . implode('|', $postInfo));
$this->_setfailcookie();
error(_T('regist_upload_blocked'));
//拒絶画像
}
}
}
}
}
if ($_REQUEST[client]) {
$client = $_REQUEST[client];
}
if ($_REQUEST[od_sob]) {
$od_sob = $_REQUEST[od_sob];
}
include 'g_common.inc';
$plink = mylink();
//======取出商家檢查碼
$client = mysql_real_escape_string($client);
$str = "SELECT chma,webip_bk,ipcheck_bk FROM o_user WHERE client={$client} limit 1 ";
$qq = mysql_query($str, $plink);
list($chma, $webip_bk, $ipcheck_bk) = @mysql_fetch_row($qq);
if ($webIP_Check_sw && $client != 3) {
$sssip = $_SERVER["REMOTE_ADDR"];
if ($sssip != '211.23.128.211' && $sssip != '175.99.72.120' && !matchCIDR($sssip, "60.199.179.0/24")) {
//這是對 ecbank ip 作放行的動作, 不比對
if (!$webip_bk || !$ipcheck_bk) {
echo 'error_無設定主機IP,無法取得驗證碼! ' . "目前抓到的主機IP: {$sssip}";
exit;
}
$v = substr_count($webip_bk, $sssip);
if (!$v) {
echo 'error_非法主機IP,無法取得驗證碼! ' . "目前抓到的主機IP: {$sssip}";
exit;
}
}
}
$od_sob = time() . '***' . $od_sob;
$od_sob = fnEncrypt($od_sob, $chma, $ap_IV);
//壓碼
<?
if($_GET['ip'])
$ip = $_GET['ip'];
else
$ip = $_SERVER['REMOTE_ADDR'];
$cidr = file("/www/torrent.is/www/bann-listi.txt");
if(matchCIDR($ip, $cidr))
$allow = 0;
echo $ip.'<br />';
echo $allow;
?>
<?php
function matchCIDR($addr, $cidr)
{
list($ip, $mask) = explode('/', $cidr);
if ($mask == NULL) {
$mask = 32;
}
return ip2long($addr) >> 32 - $mask == ip2long($ip) >> 32 - $mask;
}
$addr = "172.168.41.90";
$cidrs = array("192.168.190.0/16", "172.16.0.0");
foreach ($cidrs as $cidr) {
$ret = matchCIDR($addr, $cidr);
if ($ret == 1) {
echo "addr in the cidrs";
break;
}
}
if ($ret == NULL) {
echo "the add not in the subnet";
}
<?php
//source from http://note.tc.edu.tw/196.html
function matchCIDR($addr, $cidr)
{
list($ip, $mask) = explode('/', $cidr);
return ip2long($addr) >> 32 - $mask == ip2long($ip) >> 32 - $mask;
}
$schcidr = "163.17.210.129/25";
$sfs3Board = "http://163.17.39.135/modules/board/";
$agent = "http://web.dayes.tc.edu.tw/jsonBoard/#/page";
$ip = $_SERVER["REMOTE_ADDR"];
if (matchCIDR($ip, $schcidr)) {
header("Location: {$sfs3Board}");
} else {
header("Location: {$agent}");
}
function hostblock()
{
global $no_host;
if (is_array($no_host)) {
$HOST = strtolower(gethostbyaddr($IP = getenv("REMOTE_ADDR")));
$checkTwice = $IP != $HOST;
$IsBanned = false;
foreach ($no_host as $pattern) {
$slash = substr_count($pattern, '/');
if ($slash == 2) {
// RegExp
$pattern .= 'i';
} elseif ($slash == 1) {
// CIDR Notation
if (matchCIDR($IP, $pattern)) {
$IsBanned = true;
break;
}
continue;
} elseif (strpos($pattern, '*') !== false || strpos($pattern, '?') !== false) {
// Wildcard
$pattern = '/^' . str_replace(array('.', '*', '?'), array('\\.', '.*', '.?'), $pattern) . '$/i';
} else {
// Full-text
if ($IP == $pattern || $checkTwice && $HOST == strtolower($pattern)) {
$IsBanned = true;
break;
}
continue;
}
if (preg_match($pattern, $HOST) || $checkTwice && preg_match($pattern, $IP)) {
$IsBanned = true;
break;
}
}
if ($IsBanned || externalIPQuery($IP)) {
die("403");
}
}
}
function getREMOTE_ADDR()
{
// 同時有 VIA 和 FORWARDED_FOR 較可能為 Proxy
if (isset($_SERVER['HTTP_VIA']) && isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$tmp = preg_split('/[ ,]+/', $_SERVER['HTTP_X_FORWARDED_FOR']);
// 防止 Squid "unknown" 問題,此種情況直接使用 REMOTE_ADDR
return $tmp[0] != 'unknown' && !matchCIDR($tmp[0], '10.0.0.0/8') && !matchCIDR($tmp[0], '172.16.0.0/12') && !matchCIDR($tmp[0], '192.168.0.0/16') && !matchCIDR($tmp[0], '127.0.0.1/8') ? $tmp[0] : $_SERVER['REMOTE_ADDR'];
}
return $_SERVER['REMOTE_ADDR'];
}
function BanIPHostCheck($IP, $HOST, $list)
{
// IP/Hostname Check
$HOST = strtolower($HOST);
$checkTwice = $IP != $HOST;
// 是否需檢查第二次
$IsBanned = false;
foreach ($list as $pattern) {
$slash = substr_count($pattern, '/');
if ($slash == 2) {
// RegExp
$pattern .= 'i';
} elseif ($slash == 1) {
// CIDR Notation
if (matchCIDR($IP, $pattern)) {
$IsBanned = true;
break;
}
continue;
} elseif (strpos($pattern, '*') !== false || strpos($pattern, '?') !== false) {
// Wildcard
$pattern = '/^' . str_replace(array('.', '*', '?'), array('\\.', '.*', '.?'), $pattern) . '$/i';
} else {
// Full-text
if ($IP == $pattern || $checkTwice && $HOST == strtolower($pattern)) {
$IsBanned = true;
break;
}
continue;
}
if (preg_match($pattern, $HOST) || $checkTwice && preg_match($pattern, $IP)) {
$IsBanned = true;
break;
}
}
if ($IsBanned) {
$baninfo = 'ip banned';
return true;
}
return false;
}
<?php
define('NO_CSRF', 1);
$allow_fp = 1;
$rpath = "../";
require_once $_SERVER['DOCUMENT_ROOT'] . "/classes/stdf.php";
require_once $_SERVER['DOCUMENT_ROOT'] . "/classes/osmppay.php";
require_once $_SERVER['DOCUMENT_ROOT'] . "/classes/log.php";
if (!matchCIDR($_SERVER['HTTP_X_FORWARDED_FOR'], "79.142.16.0/20") && !in_array($_SERVER['HTTP_X_FORWARDED_FOR'], array('91.142.84.91', '91.142.84.102', '91.142.84.103'))) {
header("HTTP/1.1 404 Not Found");
exit;
}
$account = new osmppay();
$op_id = 0;
$result = 0;
if ($_GET['command'] === "check") {
if ($_GET['account'] && $_GET['txn_id'] && $_GET['sum']) {
$error = $account->prepare($result, $_GET['account'], $_GET['txn_id'], $_GET['sum']);
} else {
$result = 300;
$error = "Неполный запрос";
}
$comment = $error ? $error : "Аккаунт найден";
} elseif ($_GET['command'] === "pay") {
$sum = $_GET['sum'];
if ($sum && $_GET['account'] && $_GET['txn_id'] && $_GET['txn_date']) {
$error = $account->checkdeposit($op_id, $result, $sum, $_GET['account'], $_GET['txn_id'], $_GET['txn_date']);
if ($error) {
$result = 300;
$error = "Неполный запрос";
}
