Doodigestauth PHP (background) Authorization Management class Web browser authorization, PHP website backend Webshell
1
Php2 /**3 * Doodigestauth class file.4 *5 * @author Leng Sheng Hong
6 * @link http://www.doophp.com/7 * @copyright copyright©2009 Leng Sheng Hong8 * @license Http://www.doophp.com/license9 */Ten One /** A * Handles HTTP Digest Authentication - * - *HTTP Digest authentication can be used with the URI router. * HTTP Digest is much more recommended over the use of HTTP Basic auth which doesn ' t provide any encrypt Ion. * If You is running PHP on Apache in cgi/fastcgi mode, you would need to + * Add The following line to your htaccess-digest auth to work correctly.
- * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
+ * - *This class is tested under Apache 2.2 and Cherokee Web server. It should work in both mod_php and CGI mode.
+ * A * @author Leng Sheng Hong
at * @version $Id: doodigestauth.php 2009-07-7 18:27:22 - * @package Doo.auth - * @since 1.0 - */ - classdoodigestauth{ - in /** - * Authenticate against a list of username and passwords. to * + *HTTP Digest authentication doesn ' t work with PHP in CGI mode, the * you has to add the to your. HTACC ESS RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
the * * * @param string $realm Name of the authentication session $ * @param array $users An assoc array of username and Password:array (' uname1 ' = ' pwd1 ', ' uname2 ' = ' pwd2 ') Panax Notoginseng * @param string $fail _msg Message to be displayed if the User cancel the login - * @param string $fail _url URL to be redirect if the User cancel the login the * @return String The username if login success. + */ A Public Static functionHttp_auth ($realm,$users,$fail _msg=NULL,$fail _url=NULL){ the $realm= "Restricted area-$realm"; + - //user = password $ //$users = Array (' admin ' = = ' 1234 ', ' guest ' = ' guest '); $ if(!Empty($_server[' Redirect_http_authorization ']) &&Strpos($_server[' Redirect_http_authorization '], ' Digest ') ===0){ - $_server[' php_auth_digest '] =$_server[' Redirect_http_authorization ']; - } the - if(Empty($_server[' Php_auth_digest '])) {Wuyi Header(' Www-authenticate:digest realm= '.$realm. the' ", qop=" auth ", nonce=" '.uniqid(). ' ", opaque=" '.MD5($realm).'"'); - Header(' http/1.1 401 Unauthorized '); Wu if($fail _msg!=NULL) - die($fail _msg); About if($fail _url!=NULL) $ die(""); - Exit; - } - A //analyze the php_auth_digest variable + if(! ($data= Self::http_digest_parse ($_server[' Php_auth_digest '])) || !isset($users[$data[' username ']])){ the Header(' Www-authenticate:digest realm= '.$realm. -' ", qop=" auth ", nonce=" '.uniqid(). ' ", opaque=" '.MD5($realm).'"'); $ Header(' http/1.1 401 Unauthorized '); the if($fail _msg!=NULL) the die($fail _msg); the if($fail _url!=NULL) the die(""); - Exit; in } the the //generate the valid response About $A 1=MD5($data[' username ']. ':' .$realm. ':' .$users[$data[' username ']]); the $A 2=MD5($_server[' Request_method ']. ': '.$data[' URI ']); the $valid _response=MD5($A 1.':'.$data[' nonce ']. ': '.$data[' NC ']. ': '.$data[' Cnonce ']. ': '.$data[' Qop ']. ': '.$A 2); the + if($data[' response ']! =$valid _response){ - Header(' http/1.1 401 Unauthorized '); the Header(' Www-authenticate:digest realm= '.$realm.Bayi' ", qop=" auth ", nonce=" '.uniqid(). ' ", opaque=" '.MD5($realm).'"'); the if($fail _msg!=NULL) the die($fail _msg); - if($fail _url!=NULL) - die(""); the Exit; the } the the //OK, valid username & password - return $data[' username ']; the } the the /**94 * Method to parse the HTTP Auth header, works with IE. the * the * Internet Explorer returns a qop= "Xxxxxxxxxxx" in the header instead of qop=xxxxxxxxxxx as most browsers do. the *98 * @param string $txt header string to parse About * @return Array An assoc array of the Digest auth session - */101 Private Static functionHttp_digest_parse ($txt)102 {103 $res=Preg_match("/username=\" ([^\ "]+) \"/I ",$txt,$match);104 $data[' username '] = (isset($match[1])?$match[1]:NULL; the $res=Preg_match('/nonce=\ ' ([^\ "]+) \"/I ",$txt,$match);106 $data[' nonce '] =$match[1];107 $res=Preg_match('/nc= ([0-9]+)/I ',$txt,$match);108 $data[' NC '] =$match[1];109 $res=Preg_match('/cnonce=\ ' ([^\ "]+) \"/I ",$txt,$match); the $data[' cnonce '] =$match[1];111 $res=Preg_match('/qop= ([^,]+)/I ',$txt,$match); the $data[' qop '] =Str_replace('"','',$match[1]);113 $res=Preg_match('/uri=\ ' ([^\ "]+) \"/I ",$txt,$match); the $data[' uri '] =$match[1]; the $res=Preg_match('/response=\ ' ([^\ "]+) \"/I ",$txt,$match); the $data[' response '] =$match[1];117 return $data;118 }119 - 121}
Call Method:
1 require_once (dirname(__file__). " /doodigestauth.php "); 2 Array (' admin ' = ' 123456789 '));
Phpweb authorized login to prevent background brute force
Download Address: Http://files.cnblogs.com/files/func/DooDigestAuth.zip
http://www.bkjia.com/PHPjc/1053806.html www.bkjia.com true http://www.bkjia.com/PHPjc/1053806.html techarticle doodigestauth PHP (background) Authorization Management class Web browser authorization, PHP website backend webshell 1? PHP 2/* * 3 * Doodigestauth class file. 4 * 5 * @author Leng Sheng Hong Darkredz@gmai ...