function stripArr($arr) { $new_arr = array(); foreach ($arr as $k => $v) { $new_arr[stripStr($k)] = stripStr($v); } return $new_arr; }
function load_xss_record($filename) { if (strpos($filename, "..") === false && strpos($filename, "/") === false && strpos($filename, "\\") === false) { $logFile = dirname(__FILE__) . '/' . DATA_PATH . '/' . $filename . '.php'; if (!file_exists($logFile)) { return false; } $info = @file_get_contents($logFile); if ($info === false) { return false; } if (strncmp($info, '<?php exit();?>', 15) != 0) { return false; } $info = substr($info, 15); $info = decrypt($info); //只会出现在加密密码错误的时候 if (!preg_match('/^[A-Za-z0-9\\x00-\\x80~!@#$%&_+-=:";\'<>,\\/"\\[\\]\\\\^\\.\\|\\?\\*\\+\\(\\)\\{\\}\\s]+$/', $info)) { return false; } $info = json_decode($info, true); //只会出现在加密密码错误的时候 if ($info === false) { return false; } $isChange = false; if (!isset($info['location'])) { $info['location'] = stripStr(convertip($info['user_IP'], IPDATA_PATH)); $isChange = true; } //只会出现在加密密码错误的时候 if (!isset($info['request_time'])) { return false; } if ($isChange) { save_xss_record(json_encode($info), $filename); } return $info; } else { return false; } }
function display_setup_form($error = null) { $encrypt_enable = isset($_POST['encrypt_enable']) ? true : false; $keep_session_enable = isset($_POST['keep_session_enable']) ? true : false; $mail_enable = isset($_POST['mail_enable']) ? true : false; $pass = isset($_POST['pass']) ? stripStr($_POST['pass']) : 'bluelotus'; $encrypt_pass = isset($_POST['encrypt_pass']) ? stripStr($_POST['encrypt_pass']) : 'bluelotus'; $mail_pass = isset($_POST['mail_pass']) ? stripStr($_POST['mail_pass']) : 'xxxxxx'; $data_path = isset($_POST['data_path']) ? stripStr(trim($_POST['data_path'])) : 'data'; $js_template_path = isset($_POST['js_template_path']) ? stripStr(trim($_POST['js_template_path'])) : 'template'; $my_js_path = isset($_POST['my_js_path']) ? stripStr(trim($_POST['my_js_path'])) : 'myjs'; $encrypt_type = isset($_POST['encrypt_type']) ? stripStr(trim($_POST['encrypt_type'])) : 'RC4'; $ipdata_path = isset($_POST['ipdata_path']) ? stripStr(trim($_POST['ipdata_path'])) : 'qqwry.dat'; $smtp_server = isset($_POST['smtp_server']) ? stripStr(trim($_POST['smtp_server'])) : 'smtp.xxx.com'; $smtp_port = isset($_POST['smtp_port']) ? stripStr(trim($_POST['smtp_port'])) : '465'; $smtp_secure = isset($_POST['smtp_secure']) ? stripStr(trim($_POST['smtp_secure'])) : 'ssl'; $mail_user = isset($_POST['mail_user']) ? stripStr(trim($_POST['mail_user'])) : '*****@*****.**'; $mail_from = isset($_POST['mail_from']) ? stripStr(trim($_POST['mail_from'])) : '*****@*****.**'; $mail_recv = isset($_POST['mail_recv']) ? stripStr(trim($_POST['mail_recv'])) : '*****@*****.**'; if (!is_null($error)) { ?> <h1>错误</h1> <p class="message"><?php echo stripStr($error); ?> </p> <?php } ?> <form id="setup" method="post" action="install.php?step=2" novalidate="novalidate"> <table class="form-table"> <tr> <th scope="row"><label for="pass">后台登录密码</label></th> <td> <input name="pass" type="text" id="pass" size="25" value="<?php echo $pass; ?> " required="required" /> <p>特殊字符会被转义,慎用,下同</p> </td> </tr> <tr> <th scope="row"><label for="data_path">xss数据存储路径</label></th> <td> <input name="data_path" type="text" id="data_path" size="25" value="<?php echo $data_path; ?> " required="required" /> <p>文件夹需要有写权限</p> </td> </tr> <tr> <th scope="row"><label for="js_template_path">js模板存储路径</label></th> <td> <input name="js_template_path" type="text" id="js_template_path" size="25" value="<?php echo $js_template_path; ?> " required="required" /> <p>文件夹需要有写权限</p> </td> </tr> <tr> <th scope="row"><label for="my_js_path">我的js存储路径</label></th> <td> <input name="my_js_path" type="text" id="my_js_path" size="25" value="<?php echo $my_js_path; ?> " required="required" /> <p>文件夹需要有写权限</p> </td> </tr> <tr> <th scope="row"><label for="encrypt_enable">启用数据加密</label></th> <td> <input type="checkbox" name="encrypt_enable" type="text" id="encrypt_enable" size="25" value="1" <?php if (!isset($_POST['encrypt_enable']) || $encrypt_enable === true) { echo 'checked="checked"'; } ?> /> <p>对xss记录,js描述文件加密</p> </td> </tr> <tr> <th scope="row"><label for="encrypt_pass">数据加密密码</label></th> <td> <input name="encrypt_pass" type="text" id="encrypt_pass" size="25" value="<?php echo $encrypt_pass; ?> " /> <p>加密数据的密码</p> </td> </tr> <tr> <th scope="row"><label for="encrypt_type">加密方式</label></th> <td> <select name="encrypt_type" type="text" id="encrypt_type" size="1"> <option value ="RC4" <?php if ($encrypt_type === "RC4") { echo 'selected="selected"'; } ?> >RC4</option> <option value ="AES" <?php if ($encrypt_type !== "RC4") { echo 'selected="selected"'; } ?> >AES</option> </select> </td> </tr> <tr> <th scope="row"><label for="keep_session_enable">启用keepsession</label></th> <td> <input type="checkbox" name="keep_session_enable" type="text" id="keep_session_enable" size="25" value="1" <?php if (!isset($_POST['keep_session_enable']) || $keep_session_enable === true) { echo 'checked="checked"'; } ?> /> <p>详见README.md说明</p> </td> </tr> <tr> <th scope="row"><label for="ipdata_path">ip数据库位置</label></th> <td> <input name="ipdata_path" type="text" id="ipdata_path" size="25" value="<?php echo $ipdata_path; ?> " required="required" /> <p>纯真qqwry.dat位置</p> </td> </tr> <tr> <th scope="row"><label for="mail_enable">启用邮件通知</label></th> <td> <input type="checkbox" name="mail_enable" type="text" id="mail_enable" size="25" value="1" <?php if ($mail_enable === true) { echo 'checked="checked"'; } ?> /> <p>收到xss消息后邮件通知</p> </td> </tr> <tr> <th scope="row"><label for="smtp_server">SMTP服务器</label></th> <td> <input name="smtp_server" type="text" id="smtp_server" size="25" value="<?php echo $smtp_server; ?> " /> <p>SMTP服务器地址</p> </td> </tr> <tr> <th scope="row"><label for="smtp_port">SMTP服务器端口</label></th> <td> <input name="smtp_port" type="text" id="smtp_port" size="25" value="<?php echo $smtp_port; ?> " /> <p>详询服务提供商</p> </td> </tr> <tr> <th scope="row"><label for="smtp_secure">SMTP安全项</label></th> <td> <input name="smtp_secure" type="text" id="smtp_secure" size="25" value="<?php echo $smtp_secure; ?> " /> <p>默认无需修改</p> </td> </tr> <tr> <th scope="row"><label for="mail_user">SMTP用户名</label></th> <td> <input name="mail_user" type="text" id="mail_user" size="25" value="<?php echo $mail_user; ?> " /> <p>一般只是邮箱@之前的部分</p> </td> </tr> <tr> <th scope="row"><label for="mail_pass">SMTP密码</label></th> <td> <input name="mail_pass" type="text" id="mail_pass" size="25" value="<?php echo $mail_pass; ?> " /> <p>发件邮箱的密码</p> </td> </tr> <tr> <th scope="row"><label for="mail_from">发件人地址</label></th> <td> <input name="mail_from" type="text" id="mail_from" size="25" value="<?php echo $mail_from; ?> " /> <p>不可伪造,否者无法发送</p> </td> </tr> <tr> <th scope="row"><label for="mail_recv">收件人地址</label></th> <td> <input name="mail_recv" type="text" id="mail_recv" size="25" value="<?php echo $mail_recv; ?> " /> <p>接收通知的邮件地址</p> </td> </tr> </table> <p class="step"><input name="submit" type="submit" value="提交" class="button button-large"></p> </form> <?php }
function js_name_and_desc_list($path) { $list = array(); $files = glob($path . '/*.js'); arsort($files); foreach ($files as $file) { //由于可能有中文名,故使用正则来提取文件名 $item = array(); $item['js_uri'] = $file; $filename = preg_replace('/^.+[\\\\\\/]/', '', $file); $filename = substr($filename, 0, strlen($filename) - 3); $item['js_name'] = $filename; $item['js_name_abbr'] = stripStr($filename); $result = @file_get_contents(dirname(__FILE__) . '/' . $path . '/' . $filename . '.desc'); $result = $result ? $result : ""; $result = decrypt($result); if (json_encode($result) === false) { $result = "加密密码不符,无法获得描述"; } $item['js_description'] = $result; $item['js_description_abbr'] = stripStr($result); //特别注意:只有js_name_abbr,js_description_abbr经过stripStr处理 $list[] = $item; } return $list; }
$request_time = isset($_SERVER['REQUEST_TIME']) ? $_SERVER['REQUEST_TIME'] : time(); $headers_data = getallheaders(); //如果提交的数据有base64编码的就解码 $get_data = $_GET; $decoded_get_data = tryBase64Decode($_GET); $post_data = $_POST; $decoded_post_data = tryBase64Decode($_POST); $cookie_data = $_COOKIE; $decoded_cookie_data = tryBase64Decode($_COOKIE); //防xss过滤,对array要同时处理key与value $info['user_IP'] = stripStr($user_IP); $info['user_port'] = stripStr($user_port); $info['protocol'] = stripStr($protocol); $info['request_method'] = stripStr($request_method); $info['request_URI'] = stripStr($request_URI); $info['request_time'] = stripStr($request_time); $info['headers_data'] = stripArr($headers_data); $info['get_data'] = stripArr($get_data); if ($decoded_get_data) { $info['decoded_get_data'] = stripArr($decoded_get_data); } $info['post_data'] = stripArr($post_data); if ($decoded_post_data) { $info['decoded_post_data'] = stripArr($decoded_post_data); } $info['cookie_data'] = stripArr($cookie_data); if ($decoded_cookie_data) { $info['decoded_cookie_data'] = stripArr($decoded_cookie_data); } //判断是否keepsession(判断标准:get或者post或者cookie包含keepsession=1) $info['keepsession'] = isKeepSession($info) ? true : false;