def request_post(self, post): if not hasattr(post, 'username') or not hasattr(post, 'password'): return public.returnJson(False, 'LOGIN_USER_EMPTY'), json_header self.error_num(False) if self.limit_address('?') < 1: return public.returnJson(False, 'LOGIN_ERR_LIMIT'), json_header post.username = post.username.strip() public.chdck_salt() sql = db.Sql() user_list = sql.table('users').field( 'id,username,password,salt').select() userInfo = None for u_info in user_list: if public.md5(u_info['username']) == post.username: userInfo = u_info if 'code' in session: if session['code'] and not 'is_verify_password' in session: if not hasattr(post, 'code'): return public.returnJson( False, 'Verification code can not be empty!'), json_header if not public.checkCode(post.code): public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_CODE', ('****', '****', public.GetClientIp())) return public.returnJson(False, 'CODE_ERR'), json_header try: if not userInfo['salt']: public.chdck_salt() userInfo = sql.table('users').where( 'id=?', (userInfo['id'], )).field('id,username,password,salt').find() password = public.md5(post.password.strip() + userInfo['salt']) if public.md5( userInfo['username'] ) != post.username or userInfo['password'] != password: public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_PASS', ('****', '******', public.GetClientIp())) num = self.limit_address('+') return public.returnJson(False, 'LOGIN_USER_ERR', (str(num), )), json_header _key_file = "/www/server/panel/data/two_step_auth.txt" #登陆告警 public.login_send_body("Userinfo", userInfo['username'], public.GetClientIp(), str(request.environ.get('REMOTE_PORT'))) if hasattr(post, 'vcode'): if self.limit_address('?', v="vcode") < 1: return public.returnJson( False, 'You have failed verification many times, forbidden for 10 minutes' ), json_header import pyotp secret_key = public.readFile(_key_file) if not secret_key: return public.returnJson( False, "Did not find the key, please close Google verification on the command line and trun on again" ), json_header t = pyotp.TOTP(secret_key) result = t.verify(post.vcode) if not result: if public.sync_date(): result = t.verify(post.vcode) if not result: num = self.limit_address('++', v="vcode") return public.returnJson( False, 'Invalid Verification code. You have [{}] times left to try!' .format(num)), json_header now = int(time.time()) public.writeFile( "/www/server/panel/data/dont_vcode_ip.txt", json.dumps({ "client_ip": public.GetClientIp(), "add_time": now })) self.limit_address('--', v="vcode") self.set_cdn_host(post) return self._set_login_session(userInfo) acc_client_ip = self.check_two_step_auth() if not os.path.exists(_key_file) or acc_client_ip: self.set_cdn_host(post) return self._set_login_session(userInfo) self.limit_address('-') session['is_verify_password'] = True return "1" except Exception as ex: stringEx = str(ex) if stringEx.find('unsupported') != -1 or stringEx.find('-1') != -1: public.ExecShell("rm -f /tmp/sess_*") public.ExecShell("rm -f /www/wwwlogs/*log") public.ServiceReload() return public.returnJson(False, 'USER_INODE_ERR'), json_header public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_PASS', ('****', '******', public.GetClientIp())) num = self.limit_address('+') return public.returnJson(False, 'LOGIN_USER_ERR', (str(num), )), json_header
def control_init(): time.sleep(1) sql = db.Sql().dbfile('system') if not sql.table('sqlite_master').where('type=? AND name=?', ('table', 'load_average')).count(): csql = '''CREATE TABLE IF NOT EXISTS `load_average` ( `id` INTEGER PRIMARY KEY AUTOINCREMENT, `pro` REAL, `one` REAL, `five` REAL, `fifteen` REAL, `addtime` INTEGER )''' sql.execute(csql, ()) if not public.M('sqlite_master').where( 'type=? AND name=? AND sql LIKE ?', ('table', 'sites', '%type_id%')).count(): public.M('sites').execute( "alter TABLE sites add edate integer DEFAULT '0000-00-00'", ()) public.M('sites').execute( "alter TABLE sites add type_id integer DEFAULT 0", ()) sql = db.Sql() if not sql.table('sqlite_master').where('type=? AND name=?', ('table', 'site_types')).count(): csql = '''CREATE TABLE IF NOT EXISTS `site_types` ( `id` INTEGER PRIMARY KEY AUTOINCREMENT, `name` REAL, `ps` REAL )''' sql.execute(csql, ()) if not sql.table('sqlite_master').where( 'type=? AND name=?', ('table', 'download_token')).count(): csql = '''CREATE TABLE IF NOT EXISTS `download_token` ( `id` INTEGER PRIMARY KEY AUTOINCREMENT, `token` REAL, `filename` REAL, `total` INTEGER DEFAULT 0, `expire` INTEGER, `password` REAL, `ps` REAL, `addtime` INTEGER )''' sql.execute(csql, ()) if not sql.table('sqlite_master').where('type=? AND name=?', ('table', 'messages')).count(): csql = '''CREATE TABLE IF NOT EXISTS `messages` ( `id` INTEGER PRIMARY KEY AUTOINCREMENT, `level` TEXT, `msg` TEXT, `state` INTEGER DEFAULT 0, `expire` INTEGER, `addtime` INTEGER )''' sql.execute(csql, ()) if not public.M('sqlite_master').where( 'type=? AND name=? AND sql LIKE ?', ('table', 'logs', '%username%')).count(): public.M('logs').execute( "alter TABLE logs add uid integer DEFAULT '1'", ()) public.M('logs').execute( "alter TABLE logs add username TEXT DEFAULT 'system'", ()) if not public.M('sqlite_master').where( 'type=? AND name=? AND sql LIKE ?', ('table', 'crontab', '%status%')).count(): public.M('crontab').execute( "ALTER TABLE 'crontab' ADD 'status' INTEGER DEFAULT 1", ()) public.M('crontab').execute( "ALTER TABLE 'crontab' ADD 'save' INTEGER DEFAULT 3", ()) public.M('crontab').execute( "ALTER TABLE 'crontab' ADD 'backupTo' TEXT DEFAULT off", ()) public.M('crontab').execute("ALTER TABLE 'crontab' ADD 'sName' TEXT", ()) public.M('crontab').execute("ALTER TABLE 'crontab' ADD 'sBody' TEXT", ()) public.M('crontab').execute("ALTER TABLE 'crontab' ADD 'sType' TEXT", ()) public.M('crontab').execute( "ALTER TABLE 'crontab' ADD 'urladdress' TEXT", ()) public.M('users').where( 'email=? or email=?', ('*****@*****.**', '*****@*****.**')).setField( 'email', '*****@*****.**') if not public.M('sqlite_master').where( 'type=? AND name=? AND sql LIKE ?', ('table', 'users', '%salt%')).count(): public.M('users').execute("ALTER TABLE 'users' ADD 'salt' TEXT", ()) public.chdck_salt() filename = '/www/server/nginx/off' if os.path.exists(filename): os.remove(filename) c = public.to_string([ 99, 104, 97, 116, 116, 114, 32, 45, 105, 32, 47, 119, 119, 119, 47, 115, 101, 114, 118, 101, 114, 47, 112, 97, 110, 101, 108, 47, 99, 108, 97, 115, 115, 47, 42 ]) try: init_file = '/etc/init.d/bt' src_file = '/www/server/panel/init.sh' md51 = public.md5(init_file) md52 = public.md5(src_file) if md51 != md52: import shutil shutil.copyfile(src_file, init_file) if os.path.getsize(init_file) < 10: public.ExecShell("chattr -i " + init_file) public.ExecShell("\cp -arf %s %s" % (src_file, init_file)) public.ExecShell("chmod +x %s" % init_file) except: pass public.writeFile('/var/bt_setupPath.conf', '/www') public.ExecShell(c) p_file = 'class/plugin2.so' if os.path.exists(p_file): public.ExecShell("rm -f class/*.so") # public.ExecShell("chmod -R 600 /www/server/panel/data;chmod -R 600 /www/server/panel/config;chmod -R 700 /www/server/cron;chmod -R 600 /www/server/cron/*.log;chown -R root:root /www/server/panel/data;chown -R root:root /www/server/panel/config;chown -R www:www /www/server/phpmyadmin;chmod -R 700 /www/server/phpmyadmin") if os.path.exists("/www/server/mysql"): public.ExecShell("chown mysql:mysql /etc/my.cnf;chmod 600 /etc/my.cnf") stop_path = '/www/server/stop' if not os.path.exists(stop_path): os.makedirs(stop_path) public.ExecShell( "chown -R root:root {path};chmod -R 755 {path}".format(path=stop_path)) public.ExecShell('chmod 755 /www;chmod 755 /www/server') #disable_putenv('putenv') clean_session() #set_crond() clean_max_log('/www/server/panel/plugin/rsync/lsyncd.log') clean_max_log('/var/log/rsyncd.log', 1024 * 1024 * 10) clean_max_log('/root/.pm2/pm2.log', 1024 * 1024 * 20) remove_tty1() clean_hook_log() run_new() clean_max_log('/www/server/cron', 1024 * 1024 * 5, 20) #check_firewall() check_dnsapi() clean_php_log() #update_py37() files_set_mode()
def request_post(self,post): if not hasattr(post, 'username') or not hasattr(post, 'password'): return public.returnJson(False,'LOGIN_USER_EMPTY'),json_header self.error_num(False) if self.limit_address('?') < 1: return public.returnJson(False,'LOGIN_ERR_LIMIT'),json_header post.username = post.username.strip() sql = db.Sql() user_list = sql.table('users').field('id,username,password,salt').select() userInfo = None for u_info in user_list: if public.md5(u_info['username']) == post.username: userInfo = u_info if 'code' in session: if session['code'] and not 'is_verify_password' in session: if not hasattr(post, 'code'): return public.returnJson(False,'验证码不能为空!'),json_header if not public.checkCode(post.code): public.WriteLog('TYPE_LOGIN','LOGIN_ERR_CODE',('****','****',public.GetClientIp())) return public.returnJson(False,'CODE_ERR'),json_header try: if not userInfo['salt']: public.chdck_salt() userInfo = sql.table('users').where('id=?',(userInfo['id'],)).field('id,username,password,salt').find() password = public.md5(post.password.strip() + userInfo['salt']) if public.md5(userInfo['username']) != post.username or userInfo['password'] != password: public.WriteLog('TYPE_LOGIN','LOGIN_ERR_PASS',('****','******',public.GetClientIp())) num = self.limit_address('+') return public.returnJson(False,'LOGIN_USER_ERR',(str(num),)),json_header _key_file = "/www/server/panel/data/two_step_auth.txt" if hasattr(post,'vcode'): if self.limit_address('?',v="vcode") < 1: return public.returnJson(False,'您多次验证失败,禁止10分钟'),json_header import pyotp secret_key = public.readFile(_key_file) if not secret_key: return public.returnJson(False, "没有找到key,请尝试在命令行关闭谷歌验证后在开启"),json_header t = pyotp.TOTP(secret_key) result = t.verify(post.vcode) if not result: if public.sync_date(): result = t.verify(post.vcode) if not result: num = self.limit_address('++',v="vcode") return public.returnJson(False, '验证失败,您还可以尝试[{}]次!'.format(num)), json_header now = int(time.time()) public.writeFile("/www/server/panel/data/dont_vcode_ip.txt",json.dumps({"client_ip":public.GetClientIp(),"add_time":now})) self.limit_address('--',v="vcode") self.set_cdn_host(post) return self._set_login_session(userInfo) acc_client_ip = self.check_two_step_auth() if not os.path.exists(_key_file) or acc_client_ip: self.set_cdn_host(post) return self._set_login_session(userInfo) self.limit_address('-') session['is_verify_password'] = True return "1" except Exception as ex: stringEx = str(ex) if stringEx.find('unsupported') != -1 or stringEx.find('-1') != -1: os.system("rm -f /tmp/sess_*") os.system("rm -f /www/wwwlogs/*log") public.ServiceReload() return public.returnJson(False,'USER_INODE_ERR'),json_header public.WriteLog('TYPE_LOGIN','LOGIN_ERR_PASS',('****','******',public.GetClientIp())) num = self.limit_address('+') return public.returnJson(False,'LOGIN_USER_ERR',(str(num),)),json_header