Файловый менеджер

Файловый менеджер - Редактировать - /var/www/portal.bdu.ac.bd/public_html/wp-content/plugins/hide-my-wp/models/Brute.php

Назад
<?php /** * Brute Force Protection Model * Called from Brute Force Class * * @file The Brute Force Model file * @package HMWP/BruteForce * @since 4.2.0 / defined('ABSPATH') \|\| die('Cheatin\' uh?'); class HMWP_Models_Brute { /* * The user IP address * @var string / protected $user_ip; public $response; /* * Retrives and sets the ip address the person logging in * * @return string / public function brute_get_ip() { if (isset($this->user_ip)) { return $this->user_ip; } if(!isset($_SERVER['REMOTE_ADDR'])) { return '127.0.0.1'; } $ip = $_SERVER['REMOTE_ADDR']; $trusted_header = HMWP_Classes_Tools::getOption('trusted_ip_header'); if (is_string($trusted_header) && $trusted_header <> '') { if (isset($_SERVER[$trusted_header])) { $ip = $_SERVER[$trusted_header]; } } $ips = array_reverse(explode(', ', $ip)); foreach ($ips as $ip) { $ip = $this->clean_ip($ip); // If the IP is in a private or reserved range, keep looking if ($ip == '127.0.0.1' \|\| $ip == '::1' \|\| $this->ip_is_private($ip)) { continue; } else { $this->user_ip = $ip; return $this->user_ip; } } $this->user_ip = $this->clean_ip($_SERVER['REMOTE_ADDR']); return $this->user_ip; } /* * Clean the IP address if altered * @param $ip * @return mixed\|string / public function clean_ip($ip) { $ip = trim($ip); // Check for IPv4 IP cast as IPv6 if (preg_match('/^::ffff:(\d+\.\d+\.\d+\.\d+)$/', $ip, $matches)) { $ip = $matches[1]; } return $ip; } /* * Checks an IP to see if it is within a private range * * @param string $ip * @return bool / public function ip_is_private($ip) { $pri_addrs = array( '10.0.0.0\|10.255.255.255', // single class A network '172.16.0.0\|172.31.255.255', // 16 contiguous class B network '192.168.0.0\|192.168.255.255', // 256 contiguous class C network '169.254.0.0\|169.254.255.255', // Link-local address also refered to as Automatic Private IP Addressing '127.0.0.0\|127.255.255.255' // localhost ); $long_ip = ip2long($ip); if ($long_ip != -1) { foreach ($pri_addrs AS $pri_addr) { list ($start, $end) = explode('\|', $pri_addr); // IF IS PRIVATE if ($long_ip >= ip2long($start) && $long_ip <= ip2long($end)) { return true; } } } return false; } /* * Generate a pivacy key * @return string / public function get_privacy_key() { // Privacy key generation uses the NONCE_SALT + admin email-- admin email is // used to prevent identical privacy keys if NONCE_SALT is not customized return substr(md5(NONCE_SALT . get_site_option('admin_email')), 5, 10); } /* * Checks the status for a given IP. API results are cached as transients in the wp_options table * * @return array\|mixed * @throws Exception / public function brute_check_loginability() { $ip = $this->brute_get_ip(); $transient_name = 'hmwp_brute_' . md5($ip); $transient_value = $this->get_transient($transient_name); //Never block login from whitelisted IPs if ($this->check_whitelisted_ip($ip)) { $transient_value['status'] = 'whitelist'; return $transient_value; } //Check out our transients if (isset($transient_value['status']) && $transient_value['status'] == 'ok') { return $transient_value; } if (isset($transient_value['status']) && $transient_value['status'] == 'blocked') { //there is a current block-- prevent login $this->brute_kill_login(); } //If we've reached this point, this means that the IP isn't cached. //Now we check to see if we should allow login $response = $this->brute_call('check_ip'); if ($response['status'] == 'blocked') { $this->brute_kill_login(); } return $response; } /* * Check if the current IP address is whitelisted by the user * * @param string $ip * @return bool / public function check_whitelisted_ip($ip) { if(HMWP_Classes_Tools::isWhitelistedIP($ip)){ return true; } return false; } /* * Get the current local host * * @return mixed\|string / public function brute_get_local_host() { if (isset($this->local_host)) { return $this->local_host; } $uri = 'http://' . strtolower($_SERVER['HTTP_HOST']); if (HMWP_Classes_Tools::isMultisites()) { $uri = network_home_url(); } $uridata = parse_url($uri); $domain = $uridata['host']; //if we still don't have it, get the site_url if (!$domain) { $uri = get_site_url(1); $uridata = parse_url($uri); if (isset($uridata['host'])) { $domain = $uridata['host']; } } $this->local_host = $domain; return $this->local_host; } /* * Count the number of fail attempts * * @return false\|int\|mixed / public function brute_get_blocked_attempts() { $blocked_count = get_site_option('bruteprotect_blocked_attempt_count'); if (!$blocked_count) { $blocked_count = 0; } return $blocked_count; } /* * Finds out if this site is using http or https * * @return string / public function brute_get_protocol() { return (is_ssl()) ? "https://" : "http://"; } /* * Get all IP headers so that we can process on our server... * * @return array / public function brute_get_headers() { $o = array(); $ip_related_headers = array( 'GD_PHP_HANDLER', 'HTTP_AKAMAI_ORIGIN_HOP', 'HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_FASTLY_CLIENT_IP', 'HTTP_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_INCAP_CLIENT_IP', 'HTTP_TRUE_CLIENT_IP', 'HTTP_X_CLIENTIP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_X_IP_TRAIL', 'HTTP_X_REAL_IP', 'HTTP_X_VARNISH', 'REMOTE_ADDR' ); foreach ($ip_related_headers as $header) { if (isset($_SERVER[$header])) { $o[$header] = $_SERVER[$header]; } } return $o; } /* * process the brute call * * @param string $action 'check_ip', 'check_key', or 'failed_attempt' * @param array $info Any custom data to post to the api * @return array\|mixed * @throws Exception / public function brute_call($action = 'check_ip', $info = array()) { $ip = $this->brute_get_ip(); $transient_name = 'hmwp_brute_' . md5($ip); if(!$response = $this->get_transient($transient_name)){ $response = array(); } $attempts = (isset($response['attempts']) ? (int)$response['attempts'] : 0); if ($action == 'failed_attempt') { if ($this->check_whitelisted_ip($ip)) { $response['status'] = 'ok'; return $response; } $attempts = (int)$attempts + 1; if ($attempts >= HMWP_Classes_Tools::getOption('brute_max_attempts')) { $info['ip'] = $ip; $info['host'] = $this->brute_get_local_host(); $info['protocol'] = $this->brute_get_protocol(); $info['headers'] = json_encode($this->brute_get_headers()); $response = array_merge($response, $info); $response['attempts'] = $attempts; $response['status'] = 'blocked'; $this->set_transient($transient_name, $response, (int)HMWP_Classes_Tools::getOption('brute_max_timeout')); //Log the block IP on the server HMWP_Classes_ObjController::getClass('HMWP_Models_Log')->hmwp_log_actions('block_ip', array('ip' => $ip)); wp_redirect(home_url()); exit(); } else { $response['attempts'] = $attempts; $response['status'] = 'ok'; $this->set_transient($transient_name, $response, (int)HMWP_Classes_Tools::getOption('brute_max_timeout')); } } elseif ($action == 'check_ip') { $response['status'] = (isset($response['status']) ? $response['status'] : 'ok'); //Always block a banned IP if ($this->check_banned_ip($ip)) { $response['status'] = 'blocked'; } } elseif ($action == 'clear_ip') { $this->delete_transient($transient_name); } return $response; } /* * Save the transient with the blocked IP in database * * @param $transient * @param $value * @param $expiration * @return bool / public function set_transient($transient, $value, $expiration) { if (HMWP_Classes_Tools::isMultisites() && !is_main_site()) { switch_to_blog($this->get_main_blog_id()); $return = set_transient($transient, $value, $expiration); restore_current_blog(); return $return; } return set_transient($transient, $value, $expiration); } /* * Delete the transient from database * * @param $transient * @return bool / public function delete_transient($transient) { if (HMWP_Classes_Tools::isMultisites() && !is_main_site()) { switch_to_blog($this->get_main_blog_id()); $return = delete_transient($transient); restore_current_blog(); return $return; } return delete_transient($transient); } /* * Get the saved transient from database * * @param $transient * @return mixed / public function get_transient($transient) { if (HMWP_Classes_Tools::isMultisites() && !is_main_site()) { switch_to_blog($this->get_main_blog_id()); $return = get_transient($transient); restore_current_blog(); return $return; } return get_transient($transient); } /* * If we're in a multisite network, return the blog ID of the primary blog * * @return int / public function get_main_blog_id() { if (defined('BLOG_ID_CURRENT_SITE')) { return BLOG_ID_CURRENT_SITE; } return 1; } /* * Get all blocked IPs * * @return array / public function get_blocked_ips() { global $wpdb; $ips = array(); $pattern = '_transient_timeout_hmwp_brute_'; //check 20 keyword at one time $sql = $wpdb->prepare("SELECT `option_name` FROM `{$wpdb->options}` WHERE (`option_name` LIKE %s) ORDER BY `option_id` DESC", $pattern . '%'); if ($rows = $wpdb->get_results($sql)) { foreach ($rows as $row) { if (!$transient_value = $this->get_transient(str_replace($pattern, 'hmwp_brute_', $row->option_name))) { $this->delete_transient(str_replace($pattern, '', $row->option_name)); }elseif (isset($transient_value['status']) && $transient_value['status'] == 'blocked') { $ips[str_replace($pattern, 'hmwp_brute_', $row->option_name)] = $transient_value; } } } return $ips; } /* * Check if the IP address is already banned by the user * * @param $ip * @return bool / public function check_banned_ip($ip) { //Never block login from whitelisted IPs $banlist = HMWP_Classes_Tools::getOption('banlist_ip'); if($banlist <> '' && is_string($banlist)) { $bl_items = @json_decode($banlist, true); //add the hook for users to add IPs in the blacklist $bl_items = apply_filters('hmwp_blacklisted_ips', $bl_items); if (!empty($bl_items)) { foreach ($bl_items as $item) { $item = trim($item); if ($ip == $item) { return true; } if (strpos($item, '') === false) { //no match, no wildcard continue; } $iplong = ip2long($ip); $ip_low = ip2long(str_replace('', '0', $item)); $ip_high = ip2long(str_replace('', '255', $item)); if ($iplong >= $ip_low && $iplong <= $ip_high) {//IP is within wildcard range return true; } } } } return false; } /** * Delete the IP address from database * * @param $transient * @return void / public function delete_ip($transient) { $this->delete_transient($transient); } /* * Verifies that a user answered the math problem correctly while logging in. * * @param mixed $user * @param mixed $response * @return mixed $user Returns the user if the math is correct / public function brute_math_authenticate($user, $response) { $salt = HMWP_Classes_Tools::getOption('hmwp_disable') . get_site_option('admin_email'); $ans = (int)HMWP_Classes_Tools::getValue('brute_num', 0); $salted_ans = sha1($salt . $ans); $correct_ans = HMWP_Classes_Tools::getValue('brute_ck'); if ($correct_ans === false \|\| $salted_ans != $correct_ans) { $user = new WP_Error( 'authentication_failed', sprintf(esc_html__('%sYou failed to correctly answer the math problem.%s Please try again', 'hide-my-wp'), '<strong>', '</strong>') ); } return $user; } /* * Requires a user to solve a simple equation. Added to any WordPress login form. * * @return void outputs html / public function brute_math_form() { if (!HMWP_Classes_Tools::getOption('brute_use_math')) { return; } $salt = HMWP_Classes_Tools::getOption('hmwp_disable') . get_site_option('admin_email'); $num1 = rand(0, 10); $num2 = rand(1, 10); $sum = $num1 + $num2; $ans = sha1($salt . $sum); ?> <div style="margin: 5px 0 20px;"> <strong><?php echo esc_html__('Prove your humanity:', 'hide-my-wp') ?> </strong> <?php echo esc_attr($num1) ?>   +   <?php echo esc_attr($num2) ?>   =   <input type="input" name="brute_num" value="" size="2"/> <input type="hidden" name="brute_ck" value="<?php echo esc_attr($ans); ?>" id="brute_ck"/> </div> <?php } /*********************************************************************************/ / * Verifies the Google Captcha while logging in. * * @param mixed $user * @param mixed $response * @return mixed $user Returns the user if the math is correct * @throws WP_Error message if the math is wrong / public function brute_catpcha_authenticate($user, $response) { $error_message = false; if(HMWP_Classes_Tools::getOption('brute_use_captcha')) { $error_message = $this->brute_catpcha_call(); }elseif(HMWP_Classes_Tools::getOption('brute_use_captcha_v3')) { $error_message = $this->brute_catpcha_v3_call(); } if ($error_message) { $user = new WP_Error('authentication_failed', $error_message); } return $user; } /* * Call the reCaptcha V2 from Google / public function brute_catpcha_call() { $error_message = false; $error_codes = array( 'missing-input-secret' => esc_html__('The secret parameter is missing.', 'hide-my-wp'), 'invalid-input-secret' => esc_html__('The secret parameter is invalid or malformed.', 'hide-my-wp'), 'missing-input-response' => esc_html__('Empty ReCaptcha. Please complete reCaptcha.', 'hide-my-wp'), 'timeout-or-duplicate' => esc_html__('The response parameter is invalid or malformed.', 'hide-my-wp'), 'invalid-input-response' => esc_html__('The response parameter is invalid or malformed.', 'hide-my-wp') ); $captcha = HMWP_Classes_Tools::getValue('g-recaptcha-response', false); $secret = HMWP_Classes_Tools::getOption('brute_captcha_secret_key'); if ($secret <> '') { $response = json_decode(HMWP_Classes_Tools::hmwp_remote_get("https://www.google.com/recaptcha/api/siteverify?secret=$secret&response=" . $captcha . "&remoteip=" . $_SERVER['REMOTE_ADDR']), true); if (isset($response['success']) && !$response['success']) { //If captcha errors, let the user login and fix the error if (isset($response['error-codes']) && !empty($response['error-codes'])) { foreach ($response['error-codes'] as $error_code) { if(isset($error_codes[$error_code])){ $error_message = $error_codes[$error_code]; } } } if (!$error_message) { $error_message = sprintf(esc_html__('%sIncorrect ReCaptcha%s. Please try again', 'hide-my-wp'), '<strong>', '</strong>'); } } } return $error_message; } /* * reCAPTCHA head and login form / public function brute_recaptcha_head() { ?> <script src='https://www.google.com/recaptcha/api.js?hl=<?php echo(HMWP_Classes_Tools::getOption('brute_captcha_language') <> '' ? HMWP_Classes_Tools::getOption('brute_captcha_language') : get_locale()) ?>' async defer></script> <style>#login{min-width: 354px;}</style> <?php } /* * reCAPTCHA head and login form / public function brute_recaptcha_form() { if (HMWP_Classes_Tools::getOption('brute_captcha_site_key') <> '' && HMWP_Classes_Tools::getOption('brute_captcha_secret_key') <> '') { ?> <div class="g-recaptcha" data-sitekey="<?php echo HMWP_Classes_Tools::getOption('brute_captcha_site_key') ?>" data-theme="<?php echo HMWP_Classes_Tools::getOption('brute_captcha_theme') ?>" style="margin: 12px 0 24px 0;"></div> <?php } } /* * Call the reCaptcha V3 from Google / public function brute_catpcha_v3_call() { $error_message = false; if(!HMWP_Classes_Tools::getOption('brute_use_captcha_v3')) { return false; } $error_codes = array( 'missing-input-secret' => esc_html__('The secret parameter is missing.', 'hide-my-wp'), 'invalid-input-secret' => esc_html__('The secret parameter is invalid or malformed.', 'hide-my-wp'), 'missing-input-response' => esc_html__('Empty ReCaptcha. Please complete reCaptcha.', 'hide-my-wp'), 'invalid-input-response' => esc_html__('The response parameter is invalid or malformed.', 'hide-my-wp'), 'timeout-or-duplicate' => esc_html__('The response parameter is invalid or malformed.', 'hide-my-wp'), 'bad-request' => esc_html__('The response parameter is invalid or malformed.', 'hide-my-wp') ); $captcha = HMWP_Classes_Tools::getValue('g-recaptcha-response'); $secret = HMWP_Classes_Tools::getOption('brute_captcha_secret_key_v3'); if ($secret <> '') { $response = json_decode(HMWP_Classes_Tools::hmwp_remote_get("https://www.google.com/recaptcha/api/siteverify?secret=$secret&response=" . $captcha . "&remoteip=" . $_SERVER['REMOTE_ADDR']), true); if (isset($response['success']) && !$response['success']) { //If captcha errors, let the user login and fix the error if (isset($response['error-codes']) && !empty($response['error-codes'])) { foreach ($response['error-codes'] as $error_code) { if(isset($error_codes[$error_code])){ $error_message = $error_codes[$error_code]; } } } if (!$error_message) { $error_message = sprintf(esc_html__('%sIncorrect ReCaptcha%s. Please try again', 'hide-my-wp'), '<strong>', '</strong>'); } } } return $error_message; } /* * reCAPTCHA head and login form / public function brute_recaptcha_head_v3() { ?> <script src='https://www.google.com/recaptcha/api.js?render=<?php echo HMWP_Classes_Tools::getOption('brute_captcha_site_key_v3') ?>' async defer></script> <style>#login{min-width: 354px;}</style> <?php } /* * reCAPTCHA head and login form / public function brute_recaptcha_form_v3() { if(!HMWP_Classes_Tools::getOption('brute_use_captcha_v3')) { return; } if (HMWP_Classes_Tools::getOption('brute_captcha_site_key_v3') <> '' && HMWP_Classes_Tools::getOption('brute_captcha_secret_key_v3') <> '') { ?> <script> function reCaptchaSubmit(e) { var form = this; e.preventDefault(); grecaptcha.ready(function() { grecaptcha.execute('<?php echo HMWP_Classes_Tools::getOption('brute_captcha_site_key_v3') ?>', {action: 'submit'}).then(function(token) { var input = document.createElement("input"); input.type = "hidden"; input.name = "g-recaptcha-response" ; input.value = token ; form.appendChild(input); form.submit(); }); }); } if(document.getElementsByTagName("form").length > 0) { var x = document.getElementsByTagName("form"); for (var i = 0; i < x.length; i++) { x[i].addEventListener("submit", reCaptchaSubmit); } } </script> <?php } } /*********************************************************************************/ / * Show the error message on IP address banned * @return void */ public function brute_kill_login() { do_action('hmwp_kill_login', $this->brute_get_ip()); wp_ob_end_flush_all(); wp_die( HMWP_Classes_Tools::getOption('hmwp_brute_message'), esc_html__('Login Blocked by Hide My WordPress', 'hide-my-wp'), array('response' => 403) ); } }

| ver. 1.4 | Github | . | PHP 7.4.3-4ubuntu2.28 | Генерация страницы: 0.03 | proxy | phpinfo | Настройка