首页 发现 帮助
登录
TC
/
TeaBag
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: d787e0a0a3
分支列表 标签列表
TeaBag
/
run
/
www
/
auth.php

auth.php 6.1 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190 
  1. <?php
    2. 

  2. /*
    3. 

  3. ArOZ Online Auth Script
    4. 

  4. This script is designed to provide all auth function for the whole ArOZ Online System
    5. 

  5. Please do not modify this script unless you know what you are doing.
    6. 

  6. 

  7. CopyRight ArOZ Online Project feat. IMUS Laboratory, All right reserved.
    8. 

  8. Developed by Toby Chui since 2016
    9. 

  9. */
    10. 

  10. 

  11. //Uncomment the following line for emergency terminating all services on ArOZ Online System
    12. 

  12. //header("HTTP/1.0 503 Service Unavailable"); echo "<p>ArOZ Online System on this site has been emergency shut down by system administrator.</p>"; exit(0);
    13. 

  13. header('aoAuth: v1.0');
    14. 

  14. if (session_status() == PHP_SESSION_NONE) {
    15. 

  15.     session_start();
    16. 

  16. }
    17. 

  17. //Auth System Settings. DO NOT TOUCH THESE VALUES
    18. 

  18. $maxAuthscriptDepth = 32;
    19. 

  19. $sysConfigDir = "userdata/"; //Remember to end with "/"
    20. 

  20. 

  21. //You can get the following variable from any script that included this auth script.
    22. 

  22. /*
    23. 

  23. $sysConfigDir --> Location of the ArOZ Online Storage Directory, usually C:/AOB/ on Windows or /etc/AOB/ on Linux
    24. 

  24. $rootPath --> Relative directory to root, in backslash format (aka ../)
    25. 

  25. */
    26. 

  26. function checkIfCookieSeedsMatch($seedsbank,$cookieString){
    27. 

  27. 	$data = explode("_",$cookieString);
    28. 

  28. 	$timestamp = $data[0];
    29. 

  29. 	$seedfile = $seedsbank . $timestamp . '.auth';
    30. 

  30. 	if (time() > $timestamp){
    31. 

  31. 		if (file_exists($seedfile)){
    32. 

  32. 			//This session has been expired. Remove the session from server side
    33. 

  33. 			unlink($seedfile);
    34. 

  34. 		}
    35. 

  35. 		return false;
    36. 

  36. 	}
    37. 

  37. 	$seeds = $data[1];
    38. 

  38. 	
    39. 

  39. 	if (file_exists($seedfile)){
    40. 

  40. 		$seedvalue = file_get_contents($seedfile);
    41. 

  41. 		if ($seedvalue == $seeds){
    42. 

  42. 			return true;
    43. 

  43. 		}else{
    44. 

  44. 			return false;
    45. 

  45. 		}
    46. 

  46. 	}else{
    47. 

  47. 		return false;
    48. 

  48. 	}
    49. 

  49. }
    50. 

  50. 

  51. 

  52. $databasePath = "";
    53. 

  53. if ($sysConfigDir == ""){
    54. 

  54. 	if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
    55. 

  55. 		$sysConfigDir = "C:/AOB/";
    56. 

  56. 	}else{
    57. 

  57. 		$sysConfigDir = "/etc/AOB/";
    58. 

  58. 	}
    59. 

  59. }else{
    60. 

  60. 	//This system use a specially configured root location. Append that to system root.inf if this is launched on the root location.
    61. 

  61. 	if(file_exists("root.inf")){
    62. 

  62. 		file_put_contents("root.inf",$sysConfigDir);
    63. 

  63. 	}
    64. 

  64. }
    65. 

  65. 

  66. $databasePath = $sysConfigDir . "whitelist.config";
    67. 

  67. $seedsbank = $sysConfigDir . "cookieseeds/";
    68. 

  68. 

  69. if (file_exists($seedsbank) == false){
    70. 

  70. 	if (!@mkdir($seedsbank,0777,true)){
    71. 

  71. 	    //mkdir failed. Try to override it with sudo permission if on linux.
    72. 

  72. 	    if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
    73. 

  73. 	        die("ERRPR. Unable to write to directory: " . $seedsbank);
    74. 

  74. 	    }else{
    75. 

  75. 	        exec('sudo mkdir "' . realpath($seedsbank) . '"');
    76. 

  76. 	        exec('sudo chmod 777 "' . realpath($seedsbank) . '"');
    77. 

  77. 	    }
    78. 

  78. 	}
    79. 

  79. }
    80. 

  80. 

  81. if (isset($_POST['username']) && isset($_POST['apwd']) && isset($_POST['rmbm'])){
    82. 

  82. 	$loginContent = file_get_contents($databasePath);
    83. 

  83. 	$loginContent = explode("\n",$loginContent);
    84. 

  84. 	$rememberMe = $_POST['rmbm'];
    85. 

  85. 	if ($rememberMe == "on"){
    86. 

  86. 		//There might be auto login. Check if the password field matched any seed first.
    87. 

  87. 		if (checkIfCookieSeedsMatch($seedsbank,$_POST['apwd'])){
    88. 

  88. 			//Update the current cookies
    89. 

  89. 			$cookieExpireTime = time()+ 172800;
    90. 

  90. 			setcookie("username",$_POST["username"],$cookieExpireTime );
    91. 

  91. 			$password = $_POST["apwd"];
    92. 

  92. 			$rndnum = rand(10000000, 90000000);
    93. 

  93. 			$seedString = hash("sha512",$password . $rndnum);
    94. 

  94. 			setcookie("password",$cookieExpireTime . "_" . $seedString,$cookieExpireTime);
    95. 

  95. 			file_put_contents($seedsbank . $cookieExpireTime . '.auth',$seedString);
    96. 

  96. 			$_SESSION['login'] = $_POST["username"];
    97. 

  97. 			echo "DONE. Login suceed.";
    98. 

  98. 			exit();
    99. 

  99. 		}
    100. 

  100. 		$rememberMe = true;
    101. 

  101. 	}else{
    102. 

  102. 		$rememberMe = false;
    103. 

  103. 	}
    104. 

  104. 	
    105. 

  105. 	$cookieContent = "";
    106. 

  106. 	if ($rememberMe){
    107. 

  107. 		setcookie("username",$_POST["username"],time()+ 172800 );
    108. 

  108. 		//Updates in 28-9-2018, removed raw password storage in cookie (who the hell think of this in the first place lol)
    109. 

  109. 		//setcookie("password",$_POST["apwd"],time()+ 172800 );
    110. 

  110. 		$cookieExpireTime = time()+ 172800;
    111. 

  111. 		$password = $_POST["apwd"];
    112. 

  112. 		$rndnum = rand(10000000, 90000000);
    113. 

  113. 		if ($password == ""){
    114. 

  114. 			echo "ERROR. Password cannot be empty.";
    115. 

  115. 			exit();
    116. 

  116. 		}
    117. 

  117. 		$seedString = hash("sha512",$password . $rndnum);
    118. 

  118. 		$cookieContent = $seedString;
    119. 

  119. 	}else{
    120. 

  120. 		setcookie("username","",time()+ 172800);
    121. 

  121. 		setcookie("password","",time()+ 172800);
    122. 

  122. 	}
    123. 

  123. 	foreach ($loginContent as $registedUserData){
    124. 

  124. 		if ($registedUserData != ""){
    125. 

  125. 			$chunk = explode(",",$registedUserData);
    126. 

  126. 			$username = $chunk[0];
    127. 

  127. 			$hasedpw = $chunk[1];
    128. 

  128. 			if ($username == $_POST['username']){
    129. 

  129. 				$hashedInput = hash('sha512', $_POST['apwd']);
    130. 

  130. 				if (trim(strtoupper($hasedpw)) == trim(strtoupper($hashedInput))){
    131. 

  131. 					//Login suceed
    132. 

  132. 					$_SESSION['login'] = $username;
    133. 

  133. 					if ($rememberMe && $cookieContent != ""){
    134. 

  134. 						//Store the cookie to browser as well as the server side for future access
    135. 

  135. 						setcookie("password",$cookieExpireTime . "_" . $cookieContent,time()+ 172800);
    136. 

  136. 						file_put_contents($seedsbank . $cookieExpireTime . '.auth',$cookieContent);
    137. 

  137. 					}
    138. 

  138. 					echo "DONE. Login suceed.";
    139. 

  139. 					exit();
    140. 

  140. 				}else{
    141. 

  141. 					echo "ERROR. Password incorrect";
    142. 

  142. 					exit();
    143. 

  143. 				}
    144. 

  144. 			}
    145. 

  145. 		}
    146. 

  146. 		
    147. 

  147. 	}
    148. 

  148. 	echo "ERROR. Username not find.";
    149. 

  149. 	exit();
    150. 

  150. }
    151. 

  151. 

  152. if (file_exists($databasePath)){
    153. 

  153. 	$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
    154. 

  154. 	$rootPath = "";
    155. 

  155. 	if (file_exists("root.inf")){
    156. 

  156. 		//The script is running on the root folder
    157. 

  157. 	}else{
    158. 

  158. 		//The script is not running on the root folder, find upward and see where is the root file is placed.
    159. 

  159. 		for ($x = 0; $x <= $maxAuthscriptDepth; $x++) {
    160. 

  160. 			if (file_exists($rootPath . "/root.inf")){
    161. 

  161. 				break;
    162. 

  162. 			}else{
    163. 

  163. 				$rootPath = $rootPath . "../";
    164. 

  164. 			}
    165. 

  165. 		} 
    166. 

  166. 	}
    167. 

  167. if (session_id() == '' || !isset($_SESSION['login']) || $_SESSION['login'] == "") {
    168. 

  168. 	//echo $actual_link;
    169. 

  169. 	header('Location: ' . $rootPath .'login.php?target=' . str_replace("&","%26",$actual_link));
    170. 

  170. 	exit();
    171. 

  171. }else{
    172. 

  172. 	//session exists. Let the user go through with updates cookie
    173. 

  173. 	if (isset($_COOKIE['username']) && $_COOKIE['username'] != "") {
    174. 

  174. 		setcookie("username",$_COOKIE["username"],time()+ 172800 );
    175. 

  175. 		setcookie("password",$_COOKIE["password"],time()+ 172800 );
    176. 

  176. 	}else{
    177. 

  177. 		//cookie expired. Request for another update with login
    178. 

  178. 		$_SESSION['login'] = "";
    179. 

  179. 		header('Location: ' . $rootPath .'login.php?target=' . str_replace("&","%26",$actual_link));
    180. 

  180. 		exit();
    181. 

  181. 	}
    182. 

  182. 	
    183. 

  183. }
    184. 

  184. }else{
    185. 

  185. 	//Database file do not exists. As the user to create one
    186. 

  186. 	header("Location: regi.php");
    187. 

  187. 	exit();
    188. 

  188. 	
    189. 

  189. }
    190. 

  190. ?>
    191.