function stripArr($arr)
{
$new_arr = array();
foreach ($arr as $k => $v) {
$new_arr[stripStr($k)] = stripStr($v);
}
return $new_arr;
}
function load_xss_record($filename)
{
if (strpos($filename, "..") === false && strpos($filename, "/") === false && strpos($filename, "\\") === false) {
$logFile = dirname(__FILE__) . '/' . DATA_PATH . '/' . $filename . '.php';
if (!file_exists($logFile)) {
return false;
}
$info = @file_get_contents($logFile);
if ($info === false) {
return false;
}
if (strncmp($info, '<?php exit();?>', 15) != 0) {
return false;
}
$info = substr($info, 15);
$info = decrypt($info);
//只会出现在加密密码错误的时候
if (!preg_match('/^[A-Za-z0-9\\x00-\\x80~!@#$%&_+-=:";\'<>,\\/"\\[\\]\\\\^\\.\\|\\?\\*\\+\\(\\)\\{\\}\\s]+$/', $info)) {
return false;
}
$info = json_decode($info, true);
//只会出现在加密密码错误的时候
if ($info === false) {
return false;
}
$isChange = false;
if (!isset($info['location'])) {
$info['location'] = stripStr(convertip($info['user_IP'], IPDATA_PATH));
$isChange = true;
}
//只会出现在加密密码错误的时候
if (!isset($info['request_time'])) {
return false;
}
if ($isChange) {
save_xss_record(json_encode($info), $filename);
}
return $info;
} else {
return false;
}
}
function display_setup_form($error = null)
{
$encrypt_enable = isset($_POST['encrypt_enable']) ? true : false;
$keep_session_enable = isset($_POST['keep_session_enable']) ? true : false;
$mail_enable = isset($_POST['mail_enable']) ? true : false;
$pass = isset($_POST['pass']) ? stripStr($_POST['pass']) : 'bluelotus';
$encrypt_pass = isset($_POST['encrypt_pass']) ? stripStr($_POST['encrypt_pass']) : 'bluelotus';
$mail_pass = isset($_POST['mail_pass']) ? stripStr($_POST['mail_pass']) : 'xxxxxx';
$data_path = isset($_POST['data_path']) ? stripStr(trim($_POST['data_path'])) : 'data';
$js_template_path = isset($_POST['js_template_path']) ? stripStr(trim($_POST['js_template_path'])) : 'template';
$my_js_path = isset($_POST['my_js_path']) ? stripStr(trim($_POST['my_js_path'])) : 'myjs';
$encrypt_type = isset($_POST['encrypt_type']) ? stripStr(trim($_POST['encrypt_type'])) : 'RC4';
$ipdata_path = isset($_POST['ipdata_path']) ? stripStr(trim($_POST['ipdata_path'])) : 'qqwry.dat';
$smtp_server = isset($_POST['smtp_server']) ? stripStr(trim($_POST['smtp_server'])) : 'smtp.xxx.com';
$smtp_port = isset($_POST['smtp_port']) ? stripStr(trim($_POST['smtp_port'])) : '465';
$smtp_secure = isset($_POST['smtp_secure']) ? stripStr(trim($_POST['smtp_secure'])) : 'ssl';
$mail_user = isset($_POST['mail_user']) ? stripStr(trim($_POST['mail_user'])) : '*****@*****.**';
$mail_from = isset($_POST['mail_from']) ? stripStr(trim($_POST['mail_from'])) : '*****@*****.**';
$mail_recv = isset($_POST['mail_recv']) ? stripStr(trim($_POST['mail_recv'])) : '*****@*****.**';
if (!is_null($error)) {
?>
<h1>错误</h1>
<p class="message"><?php
echo stripStr($error);
?>
</p>
<?php
}
?>
<form id="setup" method="post" action="install.php?step=2" novalidate="novalidate">
<table class="form-table">
<tr>
<th scope="row"><label for="pass">后台登录密码</label></th>
<td>
<input name="pass" type="text" id="pass" size="25" value="<?php
echo $pass;
?>
" required="required" />
<p>特殊字符会被转义,慎用,下同</p>
</td>
</tr>
<tr>
<th scope="row"><label for="data_path">xss数据存储路径</label></th>
<td>
<input name="data_path" type="text" id="data_path" size="25" value="<?php
echo $data_path;
?>
" required="required" />
<p>文件夹需要有写权限</p>
</td>
</tr>
<tr>
<th scope="row"><label for="js_template_path">js模板存储路径</label></th>
<td>
<input name="js_template_path" type="text" id="js_template_path" size="25" value="<?php
echo $js_template_path;
?>
" required="required" />
<p>文件夹需要有写权限</p>
</td>
</tr>
<tr>
<th scope="row"><label for="my_js_path">我的js存储路径</label></th>
<td>
<input name="my_js_path" type="text" id="my_js_path" size="25" value="<?php
echo $my_js_path;
?>
" required="required" />
<p>文件夹需要有写权限</p>
</td>
</tr>
<tr>
<th scope="row"><label for="encrypt_enable">启用数据加密</label></th>
<td>
<input type="checkbox" name="encrypt_enable" type="text" id="encrypt_enable" size="25" value="1" <?php
if (!isset($_POST['encrypt_enable']) || $encrypt_enable === true) {
echo 'checked="checked"';
}
?>
/>
<p>对xss记录,js描述文件加密</p>
</td>
</tr>
<tr>
<th scope="row"><label for="encrypt_pass">数据加密密码</label></th>
<td>
<input name="encrypt_pass" type="text" id="encrypt_pass" size="25" value="<?php
echo $encrypt_pass;
?>
" />
<p>加密数据的密码</p>
</td>
</tr>
<tr>
<th scope="row"><label for="encrypt_type">加密方式</label></th>
<td>
<select name="encrypt_type" type="text" id="encrypt_type" size="1">
<option value ="RC4" <?php
if ($encrypt_type === "RC4") {
echo 'selected="selected"';
}
?>
>RC4</option>
<option value ="AES" <?php
if ($encrypt_type !== "RC4") {
echo 'selected="selected"';
}
?>
>AES</option>
</select>
</td>
</tr>
<tr>
<th scope="row"><label for="keep_session_enable">启用keepsession</label></th>
<td>
<input type="checkbox" name="keep_session_enable" type="text" id="keep_session_enable" size="25" value="1" <?php
if (!isset($_POST['keep_session_enable']) || $keep_session_enable === true) {
echo 'checked="checked"';
}
?>
/>
<p>详见README.md说明</p>
</td>
</tr>
<tr>
<th scope="row"><label for="ipdata_path">ip数据库位置</label></th>
<td>
<input name="ipdata_path" type="text" id="ipdata_path" size="25" value="<?php
echo $ipdata_path;
?>
" required="required" />
<p>纯真qqwry.dat位置</p>
</td>
</tr>
<tr>
<th scope="row"><label for="mail_enable">启用邮件通知</label></th>
<td>
<input type="checkbox" name="mail_enable" type="text" id="mail_enable" size="25" value="1" <?php
if ($mail_enable === true) {
echo 'checked="checked"';
}
?>
/>
<p>收到xss消息后邮件通知</p>
</td>
</tr>
<tr>
<th scope="row"><label for="smtp_server">SMTP服务器</label></th>
<td>
<input name="smtp_server" type="text" id="smtp_server" size="25" value="<?php
echo $smtp_server;
?>
" />
<p>SMTP服务器地址</p>
</td>
</tr>
<tr>
<th scope="row"><label for="smtp_port">SMTP服务器端口</label></th>
<td>
<input name="smtp_port" type="text" id="smtp_port" size="25" value="<?php
echo $smtp_port;
?>
" />
<p>详询服务提供商</p>
</td>
</tr>
<tr>
<th scope="row"><label for="smtp_secure">SMTP安全项</label></th>
<td>
<input name="smtp_secure" type="text" id="smtp_secure" size="25" value="<?php
echo $smtp_secure;
?>
" />
<p>默认无需修改</p>
</td>
</tr>
<tr>
<th scope="row"><label for="mail_user">SMTP用户名</label></th>
<td>
<input name="mail_user" type="text" id="mail_user" size="25" value="<?php
echo $mail_user;
?>
" />
<p>一般只是邮箱@之前的部分</p>
</td>
</tr>
<tr>
<th scope="row"><label for="mail_pass">SMTP密码</label></th>
<td>
<input name="mail_pass" type="text" id="mail_pass" size="25" value="<?php
echo $mail_pass;
?>
" />
<p>发件邮箱的密码</p>
</td>
</tr>
<tr>
<th scope="row"><label for="mail_from">发件人地址</label></th>
<td>
<input name="mail_from" type="text" id="mail_from" size="25" value="<?php
echo $mail_from;
?>
" />
<p>不可伪造,否者无法发送</p>
</td>
</tr>
<tr>
<th scope="row"><label for="mail_recv">收件人地址</label></th>
<td>
<input name="mail_recv" type="text" id="mail_recv" size="25" value="<?php
echo $mail_recv;
?>
" />
<p>接收通知的邮件地址</p>
</td>
</tr>
</table>
<p class="step"><input name="submit" type="submit" value="提交" class="button button-large"></p>
</form>
<?php
}
function js_name_and_desc_list($path)
{
$list = array();
$files = glob($path . '/*.js');
arsort($files);
foreach ($files as $file) {
//由于可能有中文名,故使用正则来提取文件名
$item = array();
$item['js_uri'] = $file;
$filename = preg_replace('/^.+[\\\\\\/]/', '', $file);
$filename = substr($filename, 0, strlen($filename) - 3);
$item['js_name'] = $filename;
$item['js_name_abbr'] = stripStr($filename);
$result = @file_get_contents(dirname(__FILE__) . '/' . $path . '/' . $filename . '.desc');
$result = $result ? $result : "";
$result = decrypt($result);
if (json_encode($result) === false) {
$result = "加密密码不符,无法获得描述";
}
$item['js_description'] = $result;
$item['js_description_abbr'] = stripStr($result);
//特别注意:只有js_name_abbr,js_description_abbr经过stripStr处理
$list[] = $item;
}
return $list;
}
$request_time = isset($_SERVER['REQUEST_TIME']) ? $_SERVER['REQUEST_TIME'] : time();
$headers_data = getallheaders();
//如果提交的数据有base64编码的就解码
$get_data = $_GET;
$decoded_get_data = tryBase64Decode($_GET);
$post_data = $_POST;
$decoded_post_data = tryBase64Decode($_POST);
$cookie_data = $_COOKIE;
$decoded_cookie_data = tryBase64Decode($_COOKIE);
//防xss过滤,对array要同时处理key与value
$info['user_IP'] = stripStr($user_IP);
$info['user_port'] = stripStr($user_port);
$info['protocol'] = stripStr($protocol);
$info['request_method'] = stripStr($request_method);
$info['request_URI'] = stripStr($request_URI);
$info['request_time'] = stripStr($request_time);
$info['headers_data'] = stripArr($headers_data);
$info['get_data'] = stripArr($get_data);
if ($decoded_get_data) {
$info['decoded_get_data'] = stripArr($decoded_get_data);
}
$info['post_data'] = stripArr($post_data);
if ($decoded_post_data) {
$info['decoded_post_data'] = stripArr($decoded_post_data);
}
$info['cookie_data'] = stripArr($cookie_data);
if ($decoded_cookie_data) {
$info['decoded_cookie_data'] = stripArr($decoded_cookie_data);
}
//判断是否keepsession(判断标准:get或者post或者cookie包含keepsession=1)
$info['keepsession'] = isKeepSession($info) ? true : false;
