程序師世界是廣大編程愛好者互助、分享、學習的平台,程序師世界有你更精彩!
首頁
編程語言
C語言|JAVA編程
Python編程
網頁編程
ASP編程|PHP編程
JSP編程
數據庫知識
MYSQL數據庫|SqlServer數據庫
Oracle數據庫|DB2數據庫
 程式師世界 >> 編程語言 >> 網頁編程 >> PHP編程 >> 關於PHP編程 >> DooDigestAuth php(後台)授權管理類 web浏覽器授權,php網站後台webshell

DooDigestAuth php(後台)授權管理類 web浏覽器授權,php網站後台webshell

編輯:關於PHP編程

DooDigestAuth php(後台)授權管理類 web浏覽器授權,php網站後台webshell


  1 <?php
  2 /**
  3  * DooDigestAuth class file.
  4  *
  5  * @author Leng Sheng Hong <[email protected]>
  6  * @link http://www.doophp.com/
  7  * @copyright Copyright &copy; 2009 Leng Sheng Hong
  8  * @license http://www.doophp.com/license
  9  */
 10 
 11 /**
 12  * Handles HTTP digest authentication
 13  *
 14  * <p>HTTP digest authentication can be used with the URI router.
 15  * HTTP digest is much more recommended over the use of HTTP Basic auth which doesn't provide any encryption.
 16  * If you are running PHP on Apache in CGI/FastCGI mode, you would need to
 17  * add the following line to your .htaccess for digest auth to work correctly.</p>
 18  * <code>RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]</code>
 19  *
 20  * <p>This class is tested under Apache 2.2 and Cherokee web server. It should work in both mod_php and cgi mode.</p>
 21  *
 22  * @author Leng Sheng Hong <[email protected]>
 23  * @version $Id: DooDigestAuth.php 1000 2009-07-7 18:27:22
 24  * @package doo.auth
 25  * @since 1.0
 26  */
 27 class DooDigestAuth{
 28 
 29     /**
 30      * Authenticate against a list of username and passwords.
 31      *
 32      * <p>HTTP Digest Authentication doesn't work with PHP in CGI mode,
 33      * you have to add this into your .htaccess <code>RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]</code></p>
 34      *
 35      * @param string $realm Name of the authentication session
 36      * @param array $users An assoc array of username and password: array('uname1'=>'pwd1', 'uname2'=>'pwd2')
 37      * @param string $fail_msg Message to be displayed if the User cancel the login
 38      * @param string $fail_url URL to be redirect if the User cancel the login
 39      * @return string The username if login success.
 40      */
 41     public static function http_auth($realm, $users, $fail_msg=NULL, $fail_url=NULL){
 42         $realm = "Restricted area - $realm";
 43 
 44         //user => password
 45         //$users = array('admin' => '1234', 'guest' => 'guest');
 46         if(!empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && strpos($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 'Digest')===0){
 47             $_SERVER['PHP_AUTH_DIGEST'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
 48         }
 49 
 50         if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
 51             header('WWW-Authenticate: Digest realm="'.$realm.
 52                    '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
 53             header('HTTP/1.1 401 Unauthorized');
 54             if($fail_msg!=NULL)
 55                 die($fail_msg);
 56             if($fail_url!=NULL)
 57                 die("<script>window.location.href = '$fail_url'</script>");
 58             exit;
 59         }
 60 
 61         // analyze the PHP_AUTH_DIGEST variable
 62         if (!($data = self::http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])){
 63             header('WWW-Authenticate: Digest realm="'.$realm.
 64                    '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
 65             header('HTTP/1.1 401 Unauthorized');
 66             if($fail_msg!=NULL)
 67                 die($fail_msg);
 68             if($fail_url!=NULL)
 69                 die("<script>window.location.href = '$fail_url'</script>");
 70             exit;
 71         }
 72 
 73         // generate the valid response
 74         $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
 75         $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
 76         $valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
 77 
 78         if ($data['response'] != $valid_response){
 79             header('HTTP/1.1 401 Unauthorized');
 80             header('WWW-Authenticate: Digest realm="'.$realm.
 81                    '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
 82             if($fail_msg!=NULL)
 83                 die($fail_msg);
 84             if($fail_url!=NULL)
 85                 die("<script>window.location.href = '$fail_url'</script>");
 86             exit;
 87         }
 88 
 89         // ok, valid username & password
 90         return $data['username'];
 91     }
 92 
 93     /**
 94      * Method to parse the http auth header, works with IE.
 95      *
 96      * Internet Explorer returns a qop="xxxxxxxxxxx" in the header instead of qop=xxxxxxxxxxx as most browsers do.
 97      *
 98      * @param string $txt header string to parse
 99      * @return array An assoc array of the digest auth session
100      */
101     private static function http_digest_parse($txt)
102     {
103         $res = preg_match("/username=\"([^\"]+)\"/i", $txt, $match);
104         $data['username'] = (isset($match[1]))?$match[1]:null;
105         $res = preg_match('/nonce=\"([^\"]+)\"/i', $txt, $match);
106         $data['nonce'] = $match[1];
107         $res = preg_match('/nc=([0-9]+)/i', $txt, $match);
108         $data['nc'] = $match[1];
109         $res = preg_match('/cnonce=\"([^\"]+)\"/i', $txt, $match);
110         $data['cnonce'] = $match[1];
111         $res = preg_match('/qop=([^,]+)/i', $txt, $match);
112         $data['qop'] = str_replace('"','',$match[1]);
113         $res = preg_match('/uri=\"([^\"]+)\"/i', $txt, $match);
114         $data['uri'] = $match[1];
115         $res = preg_match('/response=\"([^\"]+)\"/i', $txt, $match);
116         $data['response'] = $match[1];
117         return $data;
118     }
119 
120 
121 }

 調用方法:

1 require_once(dirname(__FILE__)."/DooDigestAuth.php");
2 DooDigestAuth::http_auth('example.com', array('admin'=>"123456789"));

phpweb授權登錄可有效防止後台暴力破解

 下載地址:http://files.cnblogs.com/files/func/DooDigestAuth.zip

  1. 上一頁:
  2. 下一頁:
Copyright © 程式師世界 All Rights Reserved