API tools faq
paste
Advertisement
JamieTheTrainie

Untitled

JamieTheTrainie
Jun 22nd, 2018
198
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.03 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /**
  3. * antibot.php
  4. *
  5. * Script that protect php scripts avoiding brute force attacks to them.
  6. * It sends a 404 error page response when a new IP is connected
  7. * and forces to click a link to continue (human response)
  8. *
  9. * Copyright (C) 2014 masterguru.net
  10. *
  11. * This program is free software; you can redistribute it and/or modify
  12. * it under the terms of the GNU General Public License as published by
  13. * the Free Software Foundation; either version 2 of the License, or
  14. * (at your option) any later version.
  15. *
  16. * This program is distributed in the hope that it will be useful,
  17. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  18. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  19. * GNU General Public License for more details.
  20. *
  21. * You should have received a copy of the GNU General Public License along
  22. * with this program; if not, write to the Free Software Foundation, Inc.,
  23. * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  24. *
  25. */
  26.  
  27. /**
  28. * Usage:
  29. * 1 - Copy this file in same folder as your login script
  30. * 2 - Add this line at top of your login script file:
  31.  
  32. include('antibot.php');
  33.  
  34. * TIP: You can rename this script to any another name to avoid bots
  35. * could test if it exists. Be sure to change the include() file name in
  36. * your login script if done.
  37. *
  38. * Todo:
  39. * - In Apache add persistent IPs in .htaccess with deny to save more resources.
  40. */
  41.  
  42. /**
  43. * Configuration
  44. */
  45. $langcode = 'en'; // Default language. See Translations below
  46. $wl = '.ht_whitelist'; // whitelist file. Use .ht prefix in apache
  47.  
  48. /**
  49. * Translations
  50. */
  51. $langs = array(
  52. 'English' => 'en'
  53. );
  54.  
  55. /**
  56. * Vars needed automatically replaced:
  57. * lang_output
  58. * curpagename
  59. * query_string
  60. * actionname
  61. *
  62. */
  63.  
  64. $get_msg['en'] = '<meta charset="utf-8">
  65. <meta name="viewport" content="width=device-width, initial-scale=1">
  66. <link rel="stylesheet" href="https://bootswatch.com/4/litera/bootstrap.min.css">
  67. <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
  68. <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
  69. <center>
  70. <h1>WARNING! Are you human?</h1>
  71. {lang_output}
  72. <p>This is first time you try to access to this page from your current IP (connection).</p>
  73. <p>Press button to continue. You won\'t see again this warning from this IP.</p>
  74. <form method="POST" action="{curpagename}">
  75. <input type="hidden" name="query_string" value="{query_string}">
  76. <input type="hidden" name="actionname" value="{actionname}" />
  77. <input type="submit" class="btn btn-primary btn-md btn-block" value="Click here to continue"/>
  78. </form></center>';
  79.  
  80.  
  81.  
  82. /** DO NOT MODIFY UNDER THIS LINE **/
  83.  
  84. /* Selected language */
  85. if (isset($_POST['langcode'])) {
  86. $langcode = $_POST['langcode'];
  87. }
  88.  
  89. /* Get translations buttons */
  90. /*$lang_output = '';
  91. *foreach ($langs as $langname => $langcoded) {
  92. * $lang_output .= '<form method="POST" style="float:left;"><input type="hidden" name="langcode" value="' . $langcoded . '" /><input *type="submit" value="' . $langname . '"/></form>';
  93. *}
  94. $lang_output .= '<div style="clear:both"></div>';*/
  95.  
  96. /**
  97. * FUNCTIONS
  98. */
  99.  
  100. /**
  101. * Get html header
  102. */
  103. function _get_header()
  104. {
  105. $page_header = '
  106. <html>
  107. <head>
  108. <title>Antibot Protection</title>
  109. <meta charset="UTF-8" />
  110. </head>
  111. <body>
  112. ';
  113. return $page_header;
  114. }
  115.  
  116. /**
  117. * Get html footer
  118. */
  119. function _get_footer()
  120. {
  121. $page_footer = '
  122. <hr />
  123. <p style="font-size:80%">AntiBot by <a target="_blank" href="http://minify.cf">onEnabled</a></p>
  124. </body>
  125. </html>';
  126. return $page_footer;
  127. }
  128.  
  129. /**
  130. * Try to get current IP from current request
  131. */
  132. function getRealIP()
  133. {
  134. $client_ip = (!empty($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : ((!empty($_ENV['REMOTE_ADDR'])) ? $_ENV['REMOTE_ADDR'] : "unknown");
  135. if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
  136. $entries = mb_split('[, ]', $_SERVER['HTTP_X_FORWARDED_FOR']);
  137. reset($entries);
  138. while (list(, $entry) = each($entries)) {
  139. $entry = trim($entry);
  140. if (preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list)) { // http://www.faqs.org/rfcs/rfc1918.html
  141. $private_ip = array(
  142. '/^0\./',
  143. '/^127\.0\.0\.1/',
  144. '/^192\.168\..*/',
  145. '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/',
  146. '/^10\..*/'
  147. );
  148. $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);
  149. if ($client_ip != $found_ip) {
  150. $client_ip = $found_ip;
  151. break;
  152. }
  153. }
  154. }
  155. }
  156. return $client_ip;
  157. }
  158.  
  159. /**
  160. * Get protected script name
  161. */
  162. function curPageName()
  163. {
  164. return substr($_SERVER["SCRIPT_NAME"], strrpos($_SERVER["SCRIPT_NAME"], "/") + 1);
  165. }
  166.  
  167. /**
  168. * Get url path of protected script name
  169. */
  170. function curPathURL()
  171. {
  172. $pageURL = 'http';
  173. if ($_SERVER["HTTPS"] == "on") {
  174. $pageURL .= "s";
  175. }
  176. $pageURL .= "://";
  177. if ($_SERVER["SERVER_PORT"] != "80") {
  178. $pageURL .= $_SERVER["SERVER_NAME"] . ":" . $_SERVER["SERVER_PORT"];
  179. } else {
  180. $pageURL .= $_SERVER["SERVER_NAME"];
  181. }
  182. $parts = explode('/', $_SERVER['REQUEST_URI']);
  183. for ($i = 0; $i < count($parts) - 1; $i++) {
  184. $pageURL .= $parts[$i] . "/";
  185. }
  186. return $pageURL;
  187. }
  188.  
  189. /**
  190. * Block access
  191. */
  192. function blocked($get_msg, $langcode, $lang_output, $actionname)
  193. {
  194. $data = array(
  195. 'lang_output' => $lang_output,
  196. 'curPageName' => curPageName(),
  197. 'actionname' => $actionname,
  198. 'query_string' => $_SERVER['QUERY_STRING']
  199. );
  200. $content = replace_vars($get_msg[$langcode], $data);
  201. header("HTTP/1.0 404 Not Found");
  202. die(_get_header() . $content . _get_footer());
  203. }
  204.  
  205. /**
  206. * Replace {vars} in translations
  207. */
  208. function replace_vars($buffer, $data)
  209. {
  210. /* replace declared var names */
  211. foreach ($data as $k => $v) {
  212. if (is_string($v) || is_numeric($v) || $v == NULL) {
  213. $buffer = preg_replace('/\{' . strtolower($k) . '\}/', $v, $buffer);
  214. }
  215. }
  216. return $buffer;
  217. }
  218.  
  219. /** END FUNCTIONS ****/
  220.  
  221. /**
  222. * Vars
  223. */
  224. $requester_IP = getRealIP(); // current requester IP
  225. $wl_filename = dirname(__FILE__) . '/' . $wl; // set full path whitelist file
  226.  
  227. /* Create/Open session */
  228. session_start();
  229.  
  230. /* Check actionname */
  231. if (isset($_SESSION['actionname']) AND isset($_POST['actionname'])) {
  232.  
  233. if ($_SESSION['actionname'] == $_POST['actionname']) {
  234.  
  235. /* Add IP to whitelist */
  236. $fh = fopen($wl_filename, 'a');
  237. fwrite($fh, $requester_IP . "\n");
  238. fclose($fh);
  239.  
  240. /* Destroy current session */
  241. $_SESSION = array(); // destroys sesion parameters
  242. $_COOKIE = array(); // destroys cookies parameters
  243. session_destroy();
  244.  
  245. /* Redirects to protected script */
  246. if (!empty($_POST['query_string'])) {
  247. header('Location: ' . curPathURL() . curPageName() . '?' . $_POST['query_string']);
  248. } else {
  249. header('Location: ' . curPathURL() . curPageName());
  250. }
  251. die();
  252.  
  253. } else {
  254.  
  255. /* Get current actionname session */
  256. $actionname = $_SESSION['actionname'];
  257.  
  258. }
  259.  
  260. } else {
  261.  
  262. /* Create new actionname session */
  263. $actionname = '.ht_' . uniqid();
  264. $_SESSION['actionname'] = $actionname;
  265.  
  266. }
  267.  
  268. /* Check whitelist */
  269. if (is_file($wl_filename)) {
  270. $whitelist = file($wl_filename, FILE_IGNORE_NEW_LINES);
  271.  
  272. /* is IP in whitelist? */
  273. if (!in_array($requester_IP, $whitelist)) {
  274. blocked($get_msg, $langcode, $lang_output, $actionname);
  275. }
  276.  
  277. } else {
  278.  
  279. /* Empty whitelist */
  280. blocked($get_msg, $langcode, $lang_output, $actionname);
  281.  
  282. }
  283. // Lets continue loading protected script
  284. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!