def _set_login_session(self, userInfo):
try:
session['login'] = True
session['username'] = userInfo['username']
session['uid'] = userInfo['id']
public.WriteLog('TYPE_LOGIN', 'LOGIN_SUCCESS',
(userInfo['username'], public.GetClientIp()))
self.limit_address('-')
cache.delete('panelNum')
cache.delete('dologin')
sess_input_path = 'data/session_last.pl'
public.writeFile(sess_input_path, str(int(time.time())))
self.set_request_token()
self.login_token()
return public.returnJson(True, 'LOGIN_SUCCESS'), json_header
except Exception as ex:
stringEx = str(ex)
if stringEx.find('unsupported') != -1 or stringEx.find('-1') != -1:
os.system("rm -f /tmp/sess_*")
os.system("rm -f /www/wwwlogs/*log")
public.ServiceReload()
return public.returnJson(False, 'USER_INODE_ERR'), json_header
public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_PASS',
('****', '******', public.GetClientIp()))
num = self.limit_address('+')
return public.returnJson(False, 'LOGIN_USER_ERR',
(str(num), )), json_header
def request_temp(self, get):
try:
if not hasattr(get, 'tmp_token'):
return public.getMsg('INIT_ARGS_ERR')
if len(get.tmp_token) != 48: return public.getMsg('INIT_ARGS_ERR')
if not re.match(r"^\w+$", get.tmp_token):
return public.getMsg('INIT_ARGS_ERR')
skey = public.GetClientIp() + '_temp_login'
if not public.get_error_num(skey, 10):
return public.getMsg('AUTH_FAILED')
s_time = int(time.time())
data = public.M('temp_login').where(
'state=? and expire>?',
(0, s_time)).field('id,token,salt,expire').find()
if not data:
public.set_error_num(skey)
return public.getMsg('VERIFICATION_FAILED')
if not isinstance(data, dict):
public.set_error_num(skey)
return public.getMsg('VERIFICATION_FAILED')
r_token = public.md5(get.tmp_token + data['salt'])
if r_token != data['token']:
public.set_error_num(skey)
return public.getMsg('VERIFICATION_FAILED')
public.set_error_num(skey, True)
userInfo = public.M('users').where(
"id=?", (1, )).field('id,username').find()
session['login'] = True
session['username'] = public.getMsg('TEMPORARY_ID', (data['id'], ))
session['tmp_login'] = True
session['tmp_login_id'] = str(data['id'])
session['tmp_login_expire'] = time.time() + 3600
session['uid'] = data['id']
sess_path = 'data/session'
if not os.path.exists(sess_path):
os.makedirs(sess_path, 384)
public.writeFile(sess_path + '/' + str(data['id']), '')
login_addr = public.GetClientIp() + ":" + str(
request.environ.get('REMOTE_PORT'))
public.WriteLog('TYPE_LOGIN', 'LOGIN_SUCCESS',
(userInfo['username'], login_addr))
public.M('temp_login').where('id=?', (data['id'], )).update({
"login_time":
s_time,
'state':
1,
'login_addr':
login_addr
})
self.limit_address('-')
cache.delete('panelNum')
cache.delete('dologin')
sess_input_path = 'data/session_last.pl'
public.writeFile(sess_input_path, str(int(time.time())))
self.set_request_token()
self.login_token()
self.set_cdn_host(get)
return redirect('/')
except:
return public.getMsg('LOGIN_FAIL')
def request_post(self,post):
if not hasattr(post, 'username') or not hasattr(post, 'password'):
return public.returnJson(False,'LOGIN_USER_EMPTY'),json_header
self.error_num(False)
if self.limit_address('?') < 1: return public.returnJson(False,'LOGIN_ERR_LIMIT'),json_header
post.username = post.username.strip();
password = public.md5(post.password.strip());
sql = db.Sql();
userInfo = sql.table('users').where("id=?",(1,)).field('id,username,password').find()
m_code = cache.get('codeStr')
if 'code' in session:
if session['code'] and not 'is_verify_password' in session:
if not hasattr(post, 'code'): return public.returnJson(False,'验证码不能为空!'),json_header
if not public.checkCode(post.code):
public.WriteLog('TYPE_LOGIN','LOGIN_ERR_CODE',('****','****',public.GetClientIp()));
return public.returnJson(False,'CODE_ERR'),json_header
try:
s_pass = public.md5(public.md5(userInfo['password'] + '_bt.cn'))
if userInfo['username'] != post.username or s_pass != password:
public.WriteLog('TYPE_LOGIN','LOGIN_ERR_PASS',('****','******',public.GetClientIp()));
num = self.limit_address('+');
return public.returnJson(False,'LOGIN_USER_ERR',(str(num),)),json_header
_key_file = "/www/server/panel/data/two_step_auth.txt"
if hasattr(post,'vcode'):
if self.limit_address('?',v="vcode") < 1: return public.returnJson(False,'您多次验证失败,禁止10分钟'),json_header
import pyotp
secret_key = public.readFile(_key_file)
if not secret_key:
return public.returnJson(False, "没有找到key,请尝试在命令行关闭谷歌验证后在开启"),json_header
t = pyotp.TOTP(secret_key)
result = t.verify(post.vcode)
if not result:
if public.sync_date(): result = t.verify(post.vcode)
if not result:
num = self.limit_address('++',v="vcode")
return public.returnJson(False, '验证失败,您还可以尝试[{}]次!'.format(num)), json_header
now = int(time.time())
public.writeFile("/www/server/panel/data/dont_vcode_ip.txt",json.dumps({"client_ip":public.GetClientIp(),"add_time":now}))
self.limit_address('--',v="vcode")
return self._set_login_session(userInfo)
acc_client_ip = self.check_two_step_auth()
if not os.path.exists(_key_file) or acc_client_ip:
return self._set_login_session(userInfo)
self.limit_address('-')
session['is_verify_password'] = True
return "1"
except Exception as ex:
stringEx = str(ex)
if stringEx.find('unsupported') != -1 or stringEx.find('-1') != -1:
os.system("rm -f /tmp/sess_*")
os.system("rm -f /www/wwwlogs/*log")
public.ServiceReload()
return public.returnJson(False,'USER_INODE_ERR'),json_header
public.WriteLog('TYPE_LOGIN','LOGIN_ERR_PASS',('****','******',public.GetClientIp()));
num = self.limit_address('+');
return public.returnJson(False,'LOGIN_USER_ERR',(str(num),)),json_header
def set_login(self, get):
session_id = public.get_session_id()
if cache.get(session_id) == 'True':
return self.check_app_login(get)
if os.path.exists(self.app_path + "login.pl"):
data = public.readFile(self.app_path + 'login.pl')
public.ExecShell('rm ' + self.app_path + "login.pl")
secret_key, init_time = data.split(':')
if time.time() - float(init_time) < 60 and get[
'secret_key'] == secret_key:
sql = db.Sql()
userInfo = sql.table('users').where(
"id=?", (1, )).field('id,username,password').find()
session['login'] = True
session['username'] = userInfo['username']
cache.delete('panelNum')
cache.delete('dologin')
public.WriteLog(
'TYPE_LOGIN', 'LOGIN_SUCCESS',
('WeChat scan code login', public.GetClientIp() + ":" +
str(request.environ.get('REMOTE_PORT'))))
login_type = 'data/app_login.pl'
self.set_request_token()
import config
config.config().reload_session()
public.writeFile(login_type, 'True')
public.login_send_body("Wechat program", userInfo['username'],
public.GetClientIp(),
str(request.environ.get('REMOTE_PORT')))
return public.returnMsg(True, 'login successful')
return public.returnMsg(False, 'Login failed')
def _set_login_session(self, userInfo):
try:
session['login'] = True
session['username'] = userInfo['username']
session['uid'] = userInfo['id']
session['login_user_agent'] = public.md5(
request.headers.get('User-Agent', ''))
public.WriteLog('TYPE_LOGIN', 'LOGIN_SUCCESS',
(userInfo['username'], public.GetClientIp() + ":" +
str(request.environ.get('REMOTE_PORT'))))
self.limit_address('-')
cache.delete('panelNum')
cache.delete('dologin')
session['session_timeout'] = time.time(
) + public.get_session_timeout()
self.set_request_token()
self.login_token()
login_type = 'data/app_login.pl'
if os.path.exists(login_type):
os.remove(login_type)
return public.returnJson(True, 'LOGIN_SUCCESS'), json_header
except Exception as ex:
stringEx = str(ex)
if stringEx.find('unsupported') != -1 or stringEx.find('-1') != -1:
public.ExecShell("rm -f /tmp/sess_*")
public.ExecShell("rm -f /www/wwwlogs/*log")
public.ServiceReload()
return public.returnJson(False, 'USER_INODE_ERR'), json_header
public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_PASS',
('****', '******', public.GetClientIp()))
num = self.limit_address('+')
return public.returnJson(False, 'LOGIN_USER_ERR',
(str(num), )), json_header
def check_app_login(self, get):
#判断是否存在绑定
btapp_info = json.loads(
public.readFile('/www/server/panel/config/api.json'))
if not btapp_info: return public.returnMsg(False, 'Unbound')
if not btapp_info['open']:
return public.returnMsg(False, 'API is not turned on')
if not 'apps' in btapp_info:
return public.returnMsg(False, 'Unbound phone')
if not btapp_info['apps']:
return public.returnMsg(False, 'Unbound phone')
try:
session_id = public.get_session_id()
if not os.path.exists(self.app_path + 'app_login_check.pl'):
return public.returnMsg(False,
'Waiting for APP scan code login 1')
data = public.readFile(self.app_path + 'app_login_check.pl')
public.ExecShell('rm ' + self.app_path + "app_login_check.pl")
secret_key, init_time = data.split(':')
if len(session_id) != 64:
return public.returnMsg(False,
'Waiting for APP scan code login 2')
if len(secret_key) != 64:
return public.returnMsg(False,
'Waiting for APP scan code login 2')
if time.time() - float(init_time) > 60:
return public.returnMsg(False,
'Waiting for APP scan code login')
if session_id != secret_key:
return public.returnMsg(False,
'Waiting for APP scan code login')
cache.delete(session_id)
userInfo = public.M('users').where(
"id=?", (1, )).field('id,username').find()
session['login'] = True
session['username'] = userInfo['username']
session['tmp_login'] = True
public.WriteLog(
'TYPE_LOGIN',
'APP scan code login, account: {}, login IP: {}'.format(
userInfo['username'],
public.GetClientIp() + ":" +
str(request.environ.get('REMOTE_PORT'))))
cache.delete('panelNum')
cache.delete('dologin')
session['session_timeout'] = time.time(
) + public.get_session_timeout()
login_type = 'data/app_login.pl'
self.set_request_token()
import config
config.config().reload_session()
public.writeFile(login_type, 'True')
public.login_send_body("aaPanel Mobile", userInfo['username'],
public.GetClientIp(),
str(request.environ.get('REMOTE_PORT')))
return public.returnMsg(True, 'login successful!')
except:
return public.returnMsg(False, 'Login failed 2')
def request_get(self, get):
#if os.path.exists('/www/server/panel/install.pl'): raise redirect('/install');
if not 'title' in session: session['title'] = public.getMsg('NAME')
domain = public.readFile('data/domain.conf')
if domain:
if (public.GetHost().lower() != domain.strip().lower()):
errorStr = '''
<meta charset="utf-8">
<title>%s</title>
</head><body>
<h1>%s</h1>
<p>%s</p>
<p>%s</p>
<p>%s</p>
<hr>
<address>%s 6.x <a href="http://www.bt.cn/bbs" target="_blank">%s</a></address>
</body></html>
''' % (public.getMsg('PAGE_ERR_TITLE'),
public.getMsg('PAGE_ERR_DOMAIN_H1'),
public.getMsg('PAGE_ERR_DOMAIN_P1'),
public.getMsg('PAGE_ERR_DOMAIN_P2'),
public.getMsg('PAGE_ERR_DOMAIN_P3'), public.getMsg('NAME'),
public.getMsg('PAGE_ERR_HELP'))
return errorStr
if os.path.exists('data/limitip.conf'):
iplist = public.readFile('data/limitip.conf')
if iplist:
iplist = iplist.strip()
if not public.GetClientIp() in iplist.split(','):
errorStr = '''
<meta charset="utf-8">
<title>%s</title>
</head><body>
<h1>%s</h1>
<p>%s</p>
<p>%s</p>
<p>%s</p>
<hr>
<address>%s 6.x <a href="http://www.bt.cn/bbs" target="_blank">%s</a></address>
</body></html>
''' % (public.getMsg('PAGE_ERR_TITLE'), public.getMsg('PAGE_ERR_IP_H1'),
public.getMsg('PAGE_ERR_IP_P1', (public.GetClientIp(), )),
public.getMsg('PAGE_ERR_IP_P2'), public.getMsg('PAGE_ERR_IP_P3'),
public.getMsg('NAME'), public.getMsg('PAGE_ERR_HELP'))
return errorStr
sql = db.Sql()
if 'login' in session:
if session['login'] == True:
return redirect('/')
if not 'code' in session:
session['code'] = False
self.error_num(False)
def request_post(self, post):
if not (hasattr(post, 'username') or hasattr(post, 'password')
or hasattr(post, 'code')):
return public.returnJson(False, 'LOGIN_USER_EMPTY'), json_header
self.error_num(False)
if self.limit_address('?') < 1:
return public.returnJson(False, 'LOGIN_ERR_LIMIT'), json_header
post.username = post.username.strip()
password = public.md5(post.password.strip())
sql = db.Sql()
userInfo = sql.table('users').where(
"id=?", (1, )).field('id,username,password').find()
m_code = cache.get('codeStr')
if 'code' in session:
if session['code']:
if not public.checkCode(post.code):
public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_CODE',
('****', '****', public.GetClientIp()))
return public.returnJson(False, 'CODE_ERR'), json_header
try:
s_pass = public.md5(public.md5(userInfo['password'] + '_bt.cn'))
if userInfo['username'] != post.username or s_pass != password:
public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_PASS',
('****', '******', public.GetClientIp()))
num = self.limit_address('+')
return public.returnJson(False, 'LOGIN_USER_ERR',
(str(num), )), json_header
session['login'] = True
session['username'] = userInfo['username']
public.WriteLog('TYPE_LOGIN', 'LOGIN_SUCCESS',
(userInfo['username'], public.GetClientIp()))
self.limit_address('-')
cache.delete('panelNum')
cache.delete('dologin')
sess_input_path = 'data/session_last.pl'
public.writeFile(sess_input_path, str(int(time.time())))
self.set_request_token()
self.login_token()
return public.returnJson(True, 'LOGIN_SUCCESS'), json_header
except Exception as ex:
stringEx = str(ex)
if stringEx.find('unsupported') != -1 or stringEx.find('-1') != -1:
os.system("rm -f /tmp/sess_*")
os.system("rm -f /www/wwwlogs/*log")
public.ServiceReload()
return public.returnJson(False, 'USER_INODE_ERR'), json_header
public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_PASS',
('****', '******', public.GetClientIp()))
num = self.limit_address('+')
return public.returnJson(False, 'LOGIN_USER_ERR',
(str(num), )), json_header
def request_get(self, get):
#if os.path.exists('/www/server/panel/install.pl'): raise redirect('/install');
if not 'title' in session: session['title'] = public.getMsg('NAME')
domain = public.readFile('data/domain.conf')
if domain:
if (public.GetHost().lower() != domain.strip().lower()):
errorStr = public.ReadFile('./BTPanel/templates/' +
public.GetConfigValue('template') +
'/error2.html')
try:
errorStr = errorStr.format(
public.getMsg('PAGE_ERR_TITLE'),
public.getMsg('PAGE_ERR_DOMAIN_H1'),
public.getMsg('PAGE_ERR_DOMAIN_P1'),
public.getMsg('PAGE_ERR_DOMAIN_P2'),
public.getMsg('PAGE_ERR_DOMAIN_P3'),
public.getMsg('NAME'), public.getMsg('PAGE_ERR_HELP'))
except IndexError:
pass
return errorStr
if os.path.exists('data/limitip.conf'):
iplist = public.readFile('data/limitip.conf')
if iplist:
iplist = iplist.strip()
if not public.GetClientIp() in iplist.split(','):
errorStr = public.ReadFile(
'./BTPanel/templates/' +
public.GetConfigValue('template') + '/error2.html')
try:
errorStr = errorStr.format(
public.getMsg('PAGE_ERR_TITLE'),
public.getMsg('PAGE_ERR_IP_H1'),
public.getMsg('PAGE_ERR_IP_P1',
(public.GetClientIp(), )),
public.getMsg('PAGE_ERR_IP_P2'),
public.getMsg('PAGE_ERR_IP_P3'),
public.getMsg('NAME'),
public.getMsg('PAGE_ERR_HELP'))
except IndexError:
pass
return errorStr
sql = db.Sql()
if 'login' in session:
if session['login'] == True:
return redirect('/')
if not 'code' in session:
session['code'] = False
self.error_num(False)
def request_tmp(self,get):
try:
if not hasattr(get,'tmp_token'): return public.returnJson(False,'错误的参数!'),json_header
if len(get.tmp_token) != 64: return public.returnJson(False,'错误的参数!'),json_header
if not re.match(r"^\w+$",get.tmp_token):return public.returnJson(False,'错误的参数!'),json_header
save_path = '/www/server/panel/config/api.json'
data = json.loads(public.ReadFile(save_path))
if not 'tmp_token' in data or not 'tmp_time' in data: return public.returnJson(False,'验证失败!'),json_header
if (time.time() - data['tmp_time']) > 120: return public.returnJson(False,'过期的Token'),json_header
if get.tmp_token != data['tmp_token']: return public.returnJson(False,'错误的Token'),json_header
userInfo = public.M('users').where("id=?",(1,)).field('id,username').find()
session['login'] = True
session['username'] = userInfo['username']
session['tmp_login'] = True
public.WriteLog('TYPE_LOGIN','LOGIN_SUCCESS',(userInfo['username'],public.GetClientIp()+ ":" + str(request.environ.get('REMOTE_PORT'))))
self.limit_address('-')
cache.delete('panelNum')
cache.delete('dologin')
sess_input_path = 'data/session_last.pl'
public.writeFile(sess_input_path,str(int(time.time())))
del(data['tmp_token'])
del(data['tmp_time'])
public.writeFile(save_path,json.dumps(data))
self.set_request_token()
self.login_token()
self.set_cdn_host(get)
return redirect('/')
except:
return public.returnJson(False,'登录失败,' + public.get_error_info()),json_header
def _check(self, get):
token_data = public.readFile(self.app_path + 'token.pl')
if not token_data:
token_data = public.readFile(self.app_path_p + 'token.pl')
if hasattr(SelfModule, get['fun']):
return False
elif get['fun'] in ['set_login', 'is_scan_ok', 'login_qrcode']:
return True
elif get['fun'] == 'blind':
if not token_data:
return public.returnMsg(False, 'QRCORE_EXPIRE', ("1", ))
token_data = token_data.replace('\n', '')
password, expiration_time = token_data.split(':')
# return True
if time.time() - int(expiration_time) > 8 * 60:
return public.returnMsg(False, 'QRCORE_EXPIRE', ("2", ))
elif get['panel_token'] != password:
return public.returnMsg(False, 'SK_NOT_INCORRECT')
return True
else:
# 是否在白名单ip sgin 是否正确
if hasattr(get, 'uid') and hasattr(get, 'sgin') and hasattr(
get, 'fun') and get['uid'] in self.user_info.keys():
encryption_str = self.user_info[
get['uid']]['token'] + get['fun'] + get['uid']
if sys.version_info[0] == 3:
if type(encryption_str) == str:
encryption_str = encryption_str.encode()
if get['sgin'] == public.md5(
binascii.hexlify(base64.b64encode(encryption_str))):
if public.GetClientIp() in ['47.52.194.186']:
return True
return public.returnMsg(False, 'UNAUTHORIZED')
def request_tmp(self,get):
try:
if not hasattr(get,'tmp_token'): return public.returnJson(False,'INIT_ARGS_ERR'),json_header
save_path = '/www/server/panel/config/api.json'
data = json.loads(public.ReadFile(save_path))
if not 'tmp_token' in data or not 'tmp_time' in data: return public.returnJson(False,'VERIFICATION_FAILED'),json_header
if (time.time() - data['tmp_time']) > 120: return public.returnJson(False,'EXPIRED_TOKEN'),json_header
if get.tmp_token != data['tmp_token']: return public.returnJson(False,'INIT_TOKEN_ERR'),json_header
userInfo = public.M('users').where("id=?",(1,)).field('id,username').find()
session['login'] = True
session['username'] = userInfo['username']
session['tmp_login'] = True
public.WriteLog('TYPE_LOGIN','LOGIN_SUCCESS',(userInfo['username'],public.GetClientIp()))
self.limit_address('-')
cache.delete('panelNum')
cache.delete('dologin')
sess_input_path = 'data/session_last.pl'
public.writeFile(sess_input_path,str(int(time.time())))
del(data['tmp_token'])
del(data['tmp_time'])
public.writeFile(save_path,json.dumps(data))
self.set_request_token()
self.login_token()
self.set_cdn_host(get)
return redirect('/')
except:
return public.returnJson(False,'Login failed,' + public.get_error_info()),json_header
def panel_public():
get = get_input();
get.client_ip = public.GetClientIp();
if get.fun in ['scan_login','login_qrcode','set_login','is_scan_ok','blind']:
#检查是否验证过安全入口
if get.fun in ['login_qrcode','is_scan_ok']:
global admin_check_auth,admin_path,route_path,admin_path_file
if admin_path != '/bt' and os.path.exists(admin_path_file) and not 'admin_auth' in session: return 'False'
import wxapp
pluwx = wxapp.wxapp()
checks = pluwx._check(get)
if type(checks) != bool or not checks: return public.getJson(checks),json_header
data = public.getJson(eval('pluwx.'+get.fun+'(get)'))
return data,json_header
import panelPlugin
plu = panelPlugin.panelPlugin()
get.s = '_check';
checks = plu.a(get)
if type(checks) != bool or not checks: return public.getJson(checks),json_header
get.s = get.fun
comm.setSession()
comm.init()
comm.checkWebType()
comm.GetOS()
result = plu.a(get)
return public.getJson(result),json_header
def checkLimitIp(self):
if os.path.exists('data/limitip.conf'):
iplist = public.ReadFile('data/limitip.conf')
if iplist:
iplist = iplist.strip()
if not public.GetClientIp() in iplist.split(','):
return redirect('/login')
def check_run():
'''
@name 开始检测
@author hwliang<2020-08-03>
@return tuple (status<bool>,msg<string>)
@example
status, msg = check_run()
if status:
print('OK')
else:
print('Warning: {}'.format(msg))
'''
mycnf_file = '/etc/my.cnf'
if not os.path.exists(mycnf_file):
return True,'MySQL is not installed'
mycnf = public.readFile(mycnf_file)
port_tmp = re.findall(r"port\s*=\s*(\d+)",mycnf)
if not port_tmp:
return True,'MySQL is not installed'
if not public.ExecShell("lsof -i :{}".format(port_tmp[0]))[0]:
return True,'MySQL is not installed'
result = public.check_port_stat(int(port_tmp[0]),public.GetClientIp())
if result == 0:
return True,'Risk-free'
return False,'The current MySQL port: {}, which can be accessed by any server, which may cause MySQL to be cracked by brute force, posing security risks'.format(port_tmp[0])
def check_app_login(self, get):
session_id = public.get_session_id()
if cache.get(session_id) != 'True':
return public.returnMsg(
False, 'Wait for the app to scan the code and log in')
cache.delete(session_id)
userInfo = public.M('users').where("id=?",
(1, )).field('id,username').find()
session['login'] = True
session['username'] = userInfo['username']
session['tmp_login'] = True
public.WriteLog(
'TYPE_LOGIN',
'APP scan code login, account: {}, login IP: {}'.format(
userInfo['username'],
public.GetClientIp() + ":" +
str(request.environ.get('REMOTE_PORT'))))
cache.delete('panelNum')
cache.delete('dologin')
sess_input_path = 'data/session_last.pl'
public.writeFile(sess_input_path, str(int(time.time())))
login_type = 'data/app_login.pl'
self.set_request_token()
import config
config.config().reload_session()
public.writeFile(login_type, 'True')
return public.returnMsg(True, 'login successful!')
def panel_public():
get = get_input()
get.client_ip = public.GetClientIp()
if get.fun in [
'scan_login', 'login_qrcode', 'set_login', 'is_scan_ok', 'blind'
]:
import wxapp
pluwx = wxapp.wxapp()
checks = pluwx._check(get)
if type(checks) != bool or not checks:
return public.getJson(checks), json_header
data = public.getJson(eval('pluwx.' + get.fun + '(get)'))
return data, json_header
import panelPlugin
plu = panelPlugin.panelPlugin()
get.s = '_check'
checks = plu.a(get)
if type(checks) != bool or not checks:
return public.getJson(checks), json_header
get.s = get.fun
comm.setSession()
comm.init()
comm.checkWebType()
comm.GetOS()
result = plu.a(get)
return public.getJson(result), json_header
def limit_address(self, type):
import time
clientIp = public.GetClientIp()
numKey = 'limitIpNum_' + clientIp
limit = 6
outTime = 600
try:
#初始化
num1 = cache.get(numKey)
if not num1:
cache.set(numKey, 1, outTime)
num1 = 1
#计数
if type == '+':
cache.inc(numKey, 1)
self.error_num()
session['code'] = True
return limit - (num1 + 1)
#清空
if type == '-':
cache.delete(numKey)
session['code'] = False
return 1
return limit - num1
except:
return limit
def get_sk(self):
save_path = '/www/server/panel/config/api.json'
if not os.path.exists(save_path):
return redirect('/login')
try:
api_config = json.loads(public.ReadFile(save_path))
except:
os.remove(save_path)
return redirect('/login')
if not api_config['open']:
return redirect('/login')
from BTPanel import get_input
get = get_input()
client_ip = public.GetClientIp()
if not 'client_bind_token' in get:
if not 'request_token' in get or not 'request_time' in get:
return redirect('/login')
num_key = client_ip + '_api'
if not public.get_error_num(num_key,20):
return public.returnJson(False,'AUTH_FAILED1')
if not client_ip in api_config['limit_addr']:
public.set_error_num(num_key)
return public.returnJson(False,'%s[' % public.GetMsg("AUTH_FAILED1")+client_ip+']')
else:
num_key = client_ip + '_app'
if not public.get_error_num(num_key,20):
return public.returnJson(False,'AUTH_FAILED1')
a_file = '/dev/shm/' + get.client_bind_token
if not os.path.exists(a_file):
import panelApi
if not panelApi.panelApi().get_app_find(get.client_bind_token):
public.set_error_num(num_key)
return public.returnJson(False,'UNBOUND_DEVICE')
public.writeFile(a_file,'')
if not 'key' in api_config:
public.set_error_num(num_key)
return public.returnJson(False, 'KEY_ERR')
if not 'form_data' in get:
public.set_error_num(num_key)
return public.returnJson(False, 'FORM_DATA_ERR')
g.form_data = json.loads(public.aes_decrypt(get.form_data, api_config['key']))
get = get_input()
if not 'request_token' in get or not 'request_time' in get:
return redirect('/login')
g.is_aes = True
g.aes_key = api_config['key']
request_token = public.md5(get.request_time + api_config['token'])
if get.request_token == request_token:
public.set_error_num(num_key,True)
return False
public.set_error_num(num_key)
return public.returnJson(False,'SECRET_KEY_CHECK_FALSE')
def __write_args(self, args):
if os.path.exists(self.__args_tmp): os.remove(self.__args_tmp)
self.__clean_args_file()
data = {}
data['GET'] = request.args.to_dict()
data['POST'] = request.form.to_dict()
data['POST']['client_ip'] = public.GetClientIp()
data = json.dumps(data)
public.writeFile(self.__args_tmp, data)
def check_two_step_auth(self):
dont_vcode_ip_info = public.readFile("/www/server/panel/data/dont_vcode_ip.txt")
acc_client_ip = False
if dont_vcode_ip_info:
dont_vcode_ip_info = json.loads(dont_vcode_ip_info)
ip = dont_vcode_ip_info["client_ip"] == public.GetClientIp()
now = int(time.time())
v_time = now - int(dont_vcode_ip_info["add_time"])
if ip and v_time < 86400:
acc_client_ip = True
return acc_client_ip
def panel_yield():
get = get_input()
import panelPlugin
plu = panelPlugin.panelPlugin()
get.s = '_check';
get.client_ip = public.GetClientIp()
checks = plu.a(get)
if type(checks) != bool or not checks: return
get.s = get.fun
filename = plu.a(get);
mimetype = 'application/octet-stream'
return send_file(filename,mimetype=mimetype, as_attachment=True,attachment_filename=os.path.basename(filename))
def get_sk(self,):
save_path = '/www/server/panel/config/api.json'
if not os.path.exists(save_path): return redirect('/login')
api_config = json.loads(public.ReadFile(save_path))
if not api_config['open']: return redirect('/login')
from BTPanel import get_input
get = get_input()
if not 'request_token' in get or not 'request_time' in get: return redirect('/login')
client_ip = public.GetClientIp()
if not client_ip in api_config['limit_addr']: return public.returnJson(False,'IP校验失败,您的访问IP为['+client_ip+']')
request_token = public.md5(get.request_time + api_config['token'])
if get.request_token == request_token: return False
return public.returnJson(False,'密钥校验失败')
def get_sk(self, ):
save_path = '/www/server/panel/config/api.json'
if not os.path.exists(save_path): return False
api_config = json.loads(public.ReadFile(save_path))
if not api_config['open']: return False
from BTPanel import get_input
get = get_input()
if not 'request_token' in get: return False
if not 'request_time' in get: return False
client_ip = public.GetClientIp()
if not client_ip in api_config['limit_addr']: return False
request_token = public.md5(get.request_time + api_config['token'])
if get.request_token == request_token:
return True
return False
def get_sk(self):
save_path = '/www/server/panel/config/api.json'
if not os.path.exists(save_path):
return redirect('/login')
try:
api_config = json.loads(public.ReadFile(save_path))
except:
os.remove(save_path)
return redirect('/login')
if not api_config['open']:
return redirect('/login')
from BTPanel import get_input
get = get_input()
if not 'client_bind_token' in get:
if not 'request_token' in get or not 'request_time' in get:
return redirect('/login')
client_ip = public.GetClientIp()
if not client_ip in api_config['limit_addr']:
return public.returnJson(False,
'IP校验失败,您的访问IP为[' + client_ip + ']')
else:
a_file = '/dev/shm/' + get.client_bind_token
if not os.path.exists(a_file):
import panelApi
if not panelApi.panelApi().get_app_find(get.client_bind_token):
return public.returnMsg(False, '未绑定的设备')
public.writeFile(a_file, '')
if not 'key' in api_config:
return public.returnJson(False, '密钥校验失败')
if not 'form_data' in get:
return public.returnJson(False, '没有找到form_data数据')
g.form_data = json.loads(
public.aes_decrypt(get.form_data, api_config['key']))
get = get_input()
if not 'request_token' in get or not 'request_time' in get:
return redirect('/login')
g.is_aes = True
g.aes_key = api_config['key']
request_token = public.md5(get.request_time + api_config['token'])
if get.request_token == request_token:
return False
return public.returnJson(False, '密钥校验失败')
def get_sk(self):
save_path = '/www/server/panel/config/api.json'
if not os.path.exists(save_path):
return redirect('/login')
try:
api_config = json.loads(public.ReadFile(save_path))
except:
os.remove(save_path)
return redirect('/login')
if not api_config['open']:
return redirect('/login')
from BTPanel import get_input
get = get_input()
if not 'client_bind_token' in get:
if not 'request_token' in get or not 'request_time' in get:
return redirect('/login')
client_ip = public.GetClientIp()
if not client_ip in api_config['limit_addr']:
return public.returnJson(
False,
'%s[' % public.GetMsg("CHECK_IP_FALSE") + client_ip + ']')
else:
a_file = '/dev/shm/' + get.client_bind_token
if not os.path.exists(a_file):
import panelApi
if not panelApi.panelApi().get_app_find(get.client_bind_token):
return public.returnMsg(False, 'Unbound device')
public.writeFile(a_file, '')
if not 'key' in api_config:
return public.returnJson(False, 'Key verification failed')
if not 'form_data' in get:
return public.returnJson(False, 'No form_data data found')
g.form_data = json.loads(
public.aes_decrypt(get.form_data, api_config['key']))
get = get_input()
if not 'request_token' in get or not 'request_time' in get:
return redirect('/login')
g.is_aes = True
g.aes_key = api_config['key']
request_token = public.md5(get.request_time + api_config['token'])
if get.request_token == request_token:
return False
return public.returnJson(False, 'SECRET_KEY_CHECK_FALSE')
def set_login(self, get):
if os.path.exists(self.app_path+"login.pl"):
data = public.readFile(self.app_path+'login.pl')
public.ExecShell('rm ' + self.app_path+"login.pl")
secret_key, init_time = data.split(':')
if time.time() - float(init_time) < 60 and get['secret_key'] == secret_key:
sql = db.Sql()
userInfo = sql.table('users').where(
"id=?", (1,)).field('id,username,password').find()
session['login'] = True
session['username'] = userInfo['username']
cache.delete('panelNum')
cache.delete('dologin')
public.WriteLog('TYPE_LOGIN', 'LOGIN_SUCCESS1',
(public.GetMsg("WECHAT_SCAN_QRCORE"), public.GetClientIp()))
return public.returnMsg(True, 'LOGIN_SUCCESS')
return public.returnMsg(False, 'LOGIN_FAIL')
def __write_args(self,args):
from BTPanel import request
if os.path.exists(self.__args_tmp): os.remove(self.__args_tmp)
self.__clean_args_file()
data = {}
data['GET'] = request.args.to_dict()
data['POST'] = {}
x_token = request.headers.get('x-http-token')
if x_token:
aes_pwd = x_token[:8] + x_token[40:48]
for key in request.form.keys():
data['POST'][key] = str(request.form.get(key,''))
if x_token:
if len(data['POST'][key]) > 5:
if data['POST'][key][:6] == 'BT-CRT':
data['POST'][key] = public.aes_decrypt(data['POST'][key][6:],aes_pwd)
data['POST']['client_ip'] = public.GetClientIp()
data = json.dumps(data)
public.writeFile(self.__args_tmp,data)
def limit_address(self,type,v=""):
import time
clientIp = public.GetClientIp();
numKey = 'limitIpNum_' + v + clientIp
limit = 6;
outTime = 600;
try:
#初始化
num1 = cache.get(numKey)
if not num1:
cache.set(numKey,1,outTime);
num1 = 1;
#计数
if type == '+':
cache.inc(numKey,1)
self.error_num();
session['code'] = True;
return limit - (num1+1);
#计数验证器
if type == '++':
cache.inc(numKey,1)
self.error_num();
session['code'] = False;
return limit - (num1+1);
#清空
if type == '-':
cache.delete(numKey);
session['code'] = False;
return 1;
#清空验证器
if type == '--':
cache.delete(numKey);
session['code'] = False;
return 1;
return limit - num1;
except:
return limit;
def panel_public():
get = get_input();
get.client_ip = public.GetClientIp();
if not hasattr(get,'name'): get.name = ''
if not hasattr(get,'fun'): return abort(404)
if not public.path_safe_check("%s/%s" % (get.name,get.fun)): return abort(404)
if get.fun in ['scan_login', 'login_qrcode', 'set_login', 'is_scan_ok', 'blind','static']:
if get.fun == 'static':
if not 'filename' in get: return abort(404)
if not public.path_safe_check("%s" % (get.filename)): return abort(404)
s_file = '/www/server/panel/BTPanel/static/' + get.filename
if s_file.find('..') != -1 or s_file.find('./') != -1: return abort(404)
if not os.path.exists(s_file): return abort(404)
return send_file(s_file, conditional=True, add_etags=True)
#检查是否验证过安全入口
if get.fun in ['login_qrcode','is_scan_ok']:
global admin_check_auth,admin_path,route_path,admin_path_file
if admin_path != '/bt' and os.path.exists(admin_path_file) and not 'admin_auth' in session: return 'False'
import wxapp
pluwx = wxapp.wxapp()
checks = pluwx._check(get)
if type(checks) != bool or not checks: return public.getJson(checks),json_header
data = public.getJson(eval('pluwx.'+get.fun+'(get)'))
return data,json_header
import panelPlugin
plu = panelPlugin.panelPlugin()
get.s = '_check';
checks = plu.a(get)
if type(checks) != bool or not checks: return public.getJson(checks),json_header
get.s = get.fun
comm.setSession()
comm.init()
comm.checkWebType()
comm.GetOS()
result = plu.a(get)
session.clear()
return public.getJson(result),json_header
