fuzzy
/
dev_endboard
mirror of http://git.simp.i2p/fuzzykitten/dev_endboard
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
dev_endboard/opt/base.php

789 lines
25 KiB
PHP
Raw Blame History

<?php
/*
* This is the endboard software, version beta 0.80
* It is a textboard written for the use in the darknets.
*
* This file holds all the basic functions needed. It can be
* included without side effects.
*
* The writing of this code started some time ago with another software
* called smolBBS. Although there is almost no original code left now,
* I still regard endboard as a fork of smolBBS.
* The author of smolBBS has required that the following text be
* distributed with any redistribution, so here it goes.
* The license and other conditions apply to endboard as well.
*
* IRC: *dulm @ irc.rizon.net
*
* Copyright (C) 2020 sandlind
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* (1) Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* (2) Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* (3)The name of the author may not be used to
* endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
// Check if the maximum requests as defined in the config file are
// exhausted or not
function check_max_requests($db, $settings, $ip)
{
$current = time();
if ( ($settings['max_requests_ip'] > 0)
&& ($_SERVER['REMOTE_ADDR'] != '127.0.0.1') ) {
$max_age = $current - ($settings['max_requests_timeframe'] * 60);
// max age is in minutes, so times 60 to go to seconds
$max_visits = $settings['max_requests_ip'];
} elseif ( ($settings['max_requests_tor'] > 0)
&& ($_SERVER['REMOTE_ADDR'] == '127.0.0.1') ) {
$max_age = $current - ($settings['max_requests_tor_timeframe'] * 60);
// max age is in minutes, so times 60 to go to seconds
$max_visits = $settings['max_requests_tor'];
} else {
return;
}
$statement = $db->prepare("SELECT unix_timestamp
FROM logs
WHERE type = 'portal'
AND ip = '$ip'
AND event in ('visit')
AND unix_timestamp > '$max_age'");
$result = $statement->execute();
$visits = 0;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$visits++;
}
if ( ($visits > $max_visits) ) {
$block_message = '429';
log_event($db, $settings, 'user', $block_message, $ip);
header( 'HTTP/1.1 429 Too Many Requests' );
quit($db, '429');
}
}
// Check if a message exists already in the database when importing.
function check_post_exists($db, $sub, $post_id)
{
$statement = $db->prepare("SELECT post_id
FROM threads
WHERE sub = '$sub'
AND post_id = '$post_id'");
$result = $statement->execute();
$counter = 0;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$counter++;
}
if ( ($counter < 1) ) {
// if the counter is smaller 1, there is no match
return FALSE;
} else {
return TRUE;
}
}
// Check if a sub exists before display
// If the name does not exist, name* is searched
function check_sub_exists($db, $sub)
{
if ( ($sub == 'overboard') || ($sub == 'main') ) {
return $sub;
}
$statement = $db->prepare("SELECT sub
FROM threads
WHERE sub = '$sub'
AND shadow = 'no'");
$result = $statement->execute();
$counter = 0;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$counter++;
$sub = "{$row[0]}";
}
if ( ($counter < 1) ) {
// if the counter is smaller 1, there is no match
$statement = $db->prepare("SELECT sub
FROM threads
WHERE sub GLOB '$sub*'
AND shadow = 'no'
ORDER BY sub
ASC LIMIT 1");
$result = $statement->execute();
$counter_2 = 0;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$counter_2++;
$sub = "{$row[0]}";
}
if ( ($counter_2 < 1) ) {
// if the counter is smaller 1, there is no match
return FALSE;
} else {
return $sub;
}
} else {
return $sub;
}
}
// record $_SERVER info
function debug_server($db, $settings)
{
$filename = $settings['work_dir'] . 'debug_server.txt';
$content = print_r($_SERVER, TRUE);
file_put_contents($filename, $content);
}
// Dump the contents of a sub, a thread or the whole board to a json
// file and send it to the browser.
// If used on the overboard, it will dump everything, including the
// messages from subs that are not actually displayed on the overboard.
function dump($db, $sub, $org_id, $settings)
{
// rewrite to include ranges
header( 'Content-Type: application/json' );
$json_dump = array();
if ( (!empty($org_id)) ) {
$statement = $db->prepare("SELECT post_id, text
FROM threads
WHERE sub = '$sub'
AND shadow = 'no'
AND org_id = '$org_id'");
$result = $statement->execute();
$json_dump['sub'] = $sub;
$json_dump['org_id'] = $org_id;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$post = array();
$post['post_id'] = "{$row[0]}";
$post['text'] = "{$row[1]}";
array_push($json_dump, $post);
}
} elseif ($sub == 'overboard') {
$statement = $db->prepare("SELECT post_id, org_id,
sub, text, timestamp
FROM threads
WHERE shadow = 'no'");
$result = $statement->execute();
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$post = array();
$post['post_id'] = "{$row[0]}";
$post['org_id'] = "{$row[1]}";
$post['sub'] = "{$row[2]}";
$post['text'] = "{$row[3]}";
$post['timestamp'] = "{$row[4]}";
array_push($json_dump, $post);
}
} else {
$statement = $db->prepare("SELECT post_id, org_id, text
FROM threads
WHERE sub = '$sub'
AND shadow = 'no'");
$result = $statement->execute();
$json_dump['sub'] = $sub;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$post = array();
$post['post_id'] = "{$row[0]}";
$post['org_id'] = "{$row[1]}";
$post['text'] = "{$row[2]}";
array_push($json_dump, $post);
}
}
echo json_encode($json_dump, JSON_PRETTY_PRINT
| JSON_NUMERIC_CHECK
| JSON_UNESCAPED_UNICODE);
}
// Prevents additional tries to log in or to edit a post after too many
// failed tries. To be configured in the config file.
// Note: if enabled, this function can be used to dos the access to the
// admin and mod panels by sending constant junk requests.
// Still better than someone trying millions of user/password
// combinations, right ?
// If really paranoid, enable the admin panel only if you use it or
// let it listen on another address altogether.
// Read your logfiles to check if attacks are ongoing.
function fail2ban($db, $settings)
{
if ($settings['enable_fail2ban'] != TRUE) {
return;
}
$current = time();
$max_age = $current - ($settings['auth_time_frame'] * 60);
// max age is in minutes, so times 60 to go to seconds
if ($settings['superstrict'] == TRUE) {
$statement = $db->prepare("SELECT unix_timestamp
FROM logs
WHERE type = 'auth'
AND event in (
'name#tripkey combination not valid',
'wrong combination user/password',
'invalid token used',
'wrong combination name/token',
'fail2ban triggered')
AND unix_timestamp > '$max_age'");
} else {
$statement = $db->prepare("SELECT unix_timestamp
FROM logs
WHERE type = 'auth'
AND event in (
'name#tripkey combination not valid',
'wrong combination user/password',
'invalid token used',
'wrong combination name/token')
AND unix_timestamp > '$max_age'");
}
$result = $statement->execute();
$counter = 0;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$counter++;
}
if ($counter > $settings['auth_max']) {
$fail2ban_message = 'fail2ban triggered';
log_event($db, $settings, 'auth', $fail2ban_message, '');
header( 'HTTP/1.1 429 Too Many Requests' );
quit($db, '429');
}
}
// filter a variable according to different parameters and return the
// result
function filter($text, $type, $length)
{
if ( ( $type == 'alnum') ) {
$filtered_text = substr(
preg_replace("/[^0-9a-zA-Z]/", "", $text),
0, $length);
} elseif ( ($type == 'num') ) {
$filtered_text = substr(
preg_replace("/[^0-9]/", "", $text),
0, $length);
} elseif ( ($type == 'email') ) {
$filtered_text = substr(
preg_replace("/[^0-9a-zA-Z@._]/", "", $text),
0, $length);
}
return $filtered_text;
}
// Check how many pretty vars have been sent
function get_pretty_vars_count()
{
$raw_vars = explode('/', $_SERVER['REQUEST_URI']);
$count = count($raw_vars);
return $count;
}
// Return number of posts in sub or overboard, with or without replies.
function give_total_posts($db, $sub, $original_only, $settings)
{
if ( ($original_only) && ($sub != 'overboard') ) {
$statement = $db->prepare("SELECT post_id
FROM threads
WHERE sub = '$sub'
AND org_id = original
AND shadow = 'no'");
$result = $statement->execute();
$counter = 0;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$counter++;
}
} elseif ( ($sub == 'overboard') ) {
$no_overboard = '';
$last = array_pop($settings['no_overboard']);
foreach($settings['no_overboard'] as $ex_sub) {
$str = "'" . $ex_sub . "', ";
$no_overboard .= $str;
}
$no_overboard .= "'" . $last . "'";
$statement = $db->prepare("SELECT post_id
FROM threads
WHERE org_id = original
AND sub NOT IN ($no_overboard)
AND shadow = 'no'");
$result = $statement->execute();
$counter = 0;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$counter++;
}
} else {
$statement = $db->prepare("SELECT post_id
FROM threads
WHERE sub = '$sub'
AND shadow = 'no'");
$result = $statement->execute();
$counter = 0;
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$counter++;
}
}
return $counter;
}
// Log an event to the db. Also, delete the overflow of logs as
// defined in the config file.
function log_event($db, $settings, $type, $text, $ip)
{
if ( ($settings['enable_logging'] != TRUE) ) {
return;
}
$current = time();
$timestamp = date('Y-m-d H:i:s', $_SERVER['REQUEST_TIME']);
$statement = $db->prepare("INSERT INTO logs(event, type, timestamp,
unix_timestamp, ip)
VALUES (?, '$type', '$timestamp',
'$current', ?)");
$statement->bindParam(1, $text);
$statement->bindParam(2, $ip);
$statement->execute();
if ( ($settings['cap_logs'] > 0) ) {
$statement = $db->prepare("DELETE FROM logs
WHERE ROWID IN
(SELECT ROWID FROM logs
ORDER BY ROWID DESC
LIMIT -1 OFFSET ?)");
// to prevent the db from bloating (and to prevent attacks), we
// allow only so many lines of logs at any one time, and we check
// this with each call.
$statement->bindParam(1, $settings['cap_logs']);
$result = $statement->execute();
}
}
// Make all tables that are needed (one each for posts, keys, hashes
// (captchas), hashes (passwords) and logs).
// Also, the hashes for the captchas are cropped to 20000.
function make_tables($db)
{
// make basic tables: threads, captchas, logs, keys
$db->exec('CREATE TABLE IF NOT EXISTS "captchas" (
"id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
"hash" TEXT UNIQUE,
"unix_timestamp" INTEGER
)');
$db->exec('CREATE TABLE IF NOT EXISTS "logs" (
"id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
"timestamp" TEXT,
"unix_timestamp" INTEGER,
"type" TEXT,
"event" TEXT,
"ip" TEXT
)');
$db->exec('CREATE TABLE IF NOT EXISTS "keys" (
"id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
"name" TEXT UNIQUE NOT NULL,
"type" INTEGER NOT NULL,
"email" TEXT,
"key" TEXT,
"subs" TEXT,
"token" TEXT,
"timestamp_token" INTEGER
)');
$db->exec('CREATE TABLE IF NOT EXISTS "threads" (
"id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
"post_id" INTEGER NOT NULL,
"shadow" TEXT NOT NULL,
"sub" TEXT NOT NULL,
"global_id" TEXT NOT NULL UNIQUE,
"text_id" TEXT NOT NULL,
"text" TEXT NOT NULL,
"org_id" INTEGER NOT NULL,
"timestamp" TEXT,
"name" TEXT,
"tripcode" TEXT,
"original" INTEGER NOT NULL,
"move_message" TEXT,
"edit_message" TEXT,
UNIQUE(post_id, sub) ON CONFLICT IGNORE
)');
$statement = $db->prepare("DELETE FROM captchas
WHERE ROWID IN
(SELECT ROWID FROM captchas
ORDER BY ROWID DESC
LIMIT -1 OFFSET 20000)");
// to prevent the db from bloating (and to prevent attacks), we
// allow only 20000 captchas at any one time, and we check this
// with each call. This should be enough if your site is getting
// less or equal to 100.000 visitors a day.
// Total combinations of captcha and token are ca. 2000 * 62^250.
$result = $statement->execute();
}
// Make a token to grant access to the admin panel or the mod panel for
// a limited time. A way of having sessions without cookies.
// Also used as a hidden field in the post form to prevent double
// posting by sending the same input twice.
function make_token($length, $mode)
{
if ( $mode == 'alnum' ) {
$characters = '0123456789'
. 'abcdefghijklmnopqrstuvwxyz'
. 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
} elseif ( $mode == 'alpha' ) {
$characters = 'abcdefghijklmnopqrstuvwxyz'
. 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
} elseif ( $mode == 'num' ) {
$characters = '0123456789';
}
$counter = strlen($characters) - 1;
$random_string = '';
for ($i = 0; $i < $length; $i++) {
$index = random_int(0, $counter);
$random_string .= $characters[$index];
}
return $random_string;
}
// Close the database, so to not let this work for the garbage collector
// and loose time.
// Also display a final message (optionally), and exit.
function quit($db, $text)
{
$db->close();
if ($text != '') {
echo "$text";
}
exit;
}
// Parse pretty vars at different positions and with different filters
function read_pretty_vars($position, $filter, $length)
{
$var = '';
$raw_vars = explode('/', $_SERVER['REQUEST_URI']);
$pretty_vars = array();
foreach($raw_vars as $raw_var) {
if ($filter == 'number') {
$pretty_var = substr(preg_replace("/[^0-9]/", "",
$raw_var), 0, $length);
} elseif ($filter == 'alnum') {
$pretty_var = substr(preg_replace("/[^0-9a-zA-Z]/", "",
$raw_var), 0, $length);
} elseif ($filter == 'alnumplus') {
$pretty_var = substr(preg_replace("/[^0-9a-zA-Z+-_]/", "",
$raw_var), 0, $length);
}
array_push($pretty_vars, $pretty_var);
}
if ($position == 'last') {
$var = array_pop($pretty_vars);
} elseif ( (isset($pretty_vars[$position])) ) {
$var = $pretty_vars[$position];
}
return $var;
}
// Find the original post to a reply
function reset_org_id($db, $sub, $post_id)
{
$statement = $db->prepare("SELECT org_id
FROM threads
WHERE sub = '$sub'
AND shadow = 'no'
AND post_id = '$post_id'");
$result = $statement->execute();
while ($row = $result->fetchArray(SQLITE3_NUM)) {
$post_id = "{$row[0]}";
}
return $post_id;
}
// Set the css that we use
function set_css($mode, $settings)
{
$admin_css = array(
'auth_admin', 'admin', 'delete_admin',
'delete_logs', 'logs', 'password',
'setup', 'shadow', 'view_mods',
'change_mods', 'unshadow_post', 'unshadow_sub',
'import', 'dump_full'
);
$mod_css = array(
'apply', 'auth_mod', 'mod',
'delete_mod'
);
if (in_array($mode, $admin_css)) {
return 'admin';
} elseif (in_array($mode, $mod_css)) {
return 'mod';
} elseif ( (!empty($_POST['css'])) ) {
$css = filter($_POST['css'], 'alnum', 20);
// 20 chars should be enough to name a css
} else {
$raw_vars = explode('/', $_SERVER['REQUEST_URI']);
foreach($raw_vars as $raw_var) {
if ( (mb_strtolower(substr( $raw_var, 0, 4 )) === 'css=') ) {
// css= is four letters
$css_vars = explode('=', $raw_var);
$css = filter($css_vars[1], 'alnum', 20);
// 20 chars should be enough to name a css
break;
}
}
}
if ( !empty($css)
&& ( file_exists($settings['server_dir'] . 'css/' . $css . '.css') ) ){
return "$css";
} else {
return $settings['default_css'];
}
}
// Check what is expected from the request, and set mode accordingly.
// The variable "$short_mode" is read from the request.
// The elements in the triggers array other than 'tr', capture requests
// that are standard scans for vulns + target discovery.
// Part of the bot trap, which can be disabled in the config file
function set_mode($short_mode, $settings)
{
$triggers = array (
'tr', 'login', 'wellknown', 'wplogin',
'wpjson', 'wp', 'products', 'wpusers',
'wpadmin', 'wpadminer', 'adminer', 'phpmyadmin',
'wpuploads', 'wpcontent', 'wpconfig', 'wpincludes',
'static', 'img', 'images', 'uploads',
'styles', 'style', 'serverinfo', 'privatekey',
'serverstatus'
);
$short_modes = array (
'cm', 'dim', 'pa', 'ush',
'dsh', 'usha', 'dsa', 'aa',
'am', 'dt', 'a', 'm',
'ap', 'sp', 'im', 'da',
'dm', 'dl', 'su', 'lo',
'sh', 'iv', 'p', 'r',
'v', 's', 'b', 'd',
'df', 'e', 'u', 'rss'
);
$long_modes = array (
'view_mods', 'change_mods', 'password', 'unshadow_post',
'delete_post', 'unshadow_sub', 'delete_sub', 'auth_admin',
'auth_mod', 'destroy_token', 'admin', 'mod',
'apply', 'setup', 'import', 'delete_admin',
'delete_mod', 'delete_logs', 'subs', 'logs',
'shadow', 'individual_view', 'post', 'reply',
'view', 'view', 'bot', 'dump',
'dump_full', 'edit', 'user', 'feed'
);
if ( (in_array($short_mode, $triggers))
&& ($settings['enable_bot_trap']) ) {
$mode = 'trap';
} elseif ( (!in_array($short_mode, $short_modes)) ) {
$mode = 'landing';
// if nothing fits, we display the landing page
} else {
for ($i = 0; $i < count($short_modes); $i++) {
if ( ($short_modes[$i] == $short_mode) ) {
$mode = $long_modes[$i];
break;
}
}
}
return $mode;
}
// In case of replies, check which post we are replying to
// (based on the pretty vars in GET requests)
function set_org_id()
{
$org_id = read_pretty_vars(3, 'number', 10);
// we read from the third position, and a message does not need more
// than 10 digits (=max 9 999 999 999 messages)
return $org_id;
}
// Get the page if it is defined, otherwise set to 1
function set_page()
{
if (get_pretty_vars_count() == 5) {
// the page is only defined if there are five vars
$page = read_pretty_vars(3, 'number', 10);
// read from third position, and a page does not need more
// than 10 digits
} else {
$page = 0;
// if there is no page given, we set it to zero
}
if ( ($page < 1) ) {
// if the page is zero, it means we did not
// get a number before
$page = read_pretty_vars(3, 'alnum', 3);
// read from the third position, and a page does not need more
// than 10 digits, this time we allow letters, too.
if ( ($page != 'all') ) {
$page = 1;
// if page is not "all", we start with the first
}
}
return $page;
}
// Determine if there is an original post_id given in the poststream
// (in case of replies)
function set_post_org_id()
{
$org_id = '';
if ( (!empty($_POST['org_id'])) ) {
$org_id = filter($_POST['org_id'], 'num', 10);
// no post id needs more than 10 digits
// (= 9 999 999 999 messages)
}
return $org_id;
}
// Determine which sub we use currently, first read from POST,
// than from the pretty vars (GET)
function set_sub($settings)
{
$sub = '';
if ( (!empty($_POST['sub'])) ) {
$sub = filter($_POST['sub'], 'alnum', $settings['max_name_sub']);
} elseif (get_pretty_vars_count() > 1) {
$sub = read_pretty_vars(2, 'alnum', $settings['max_name_sub']);
// read the sub from the second position
}
if ($sub == '') {
$sub = 'main';
}
return $sub;
}
// Get the quote, if there is one.
function set_quote()
{
if (get_pretty_vars_count() == 6) {
$quote = read_pretty_vars(4, 'alnum', 10);
// read from fourth position, and a post id does not need more
// than 10 digits
} else {
$quote = '';
}
return $quote;
}
// EOF
Reference in New Issue View Git Blame Copy Permalink