[OPGELOST] - Login bash strugle
Nu loop ik alleen tegen 1 ding aan.
Ik heb 2 kolommen met een bash_attempt en bash_time.
Nu heb ik dat als je de combinatie goed hebt er +1 word gedaan in de DB, dit was niet zo lastig natuurlijk.
De tijd daarentegen blijft op 0000-00-00 00:00:00 staan (standaard waarde in de DB, Navicat kan geen NULL aangeven bij mij maar dit geeft niet zozeer)
Bij 5x een fout wachtwoord of erboven zou het script moeten aangeven dat er gebashed wordt.
Bij de 5e bash wordt er een time-out ingesteld van 5 minuten en dit werkt ook de 5 minuten.
Ik zit vast en kom er niet uit bij het stukje van de 5 attempts en dat de time-out verstreken is.
Regel 17 tot 20.
Het moet zo zijn dat als je nog geen 5x hebt geprobeerd het systeem je gewoon laat proberen in te loggen. Is dat niet zo dan gaan we het nieteens meer proberen want ben je aan het bashen en krijg je een time-out van 5 minuten.
Blijf je het wel proberen dan reset de tijd zich elke keer weer.
FOUTE CODE
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<?php
public function auth_login()
{
$userandsalt = $this->getUser($this->_username);
// Check if the user if even in the DB
if(!$userandsalt)
{
return false;
}
else
{
// The time since the first attempt;
// - TRUE for time now bigger than last attempt
// - FALSE for time still witin the 5 minutes
$timeAllowed = ($userandsalt->cmsu_login_datetime != '0000-00-00 00:00:00' ? (strtotime($userandsalt->cmsu_login_datetime) >= strtotime(date('Y-m-d H:i:s', strtotime("{$this->_timebash}", strtotime(date('Y-m-d H:i:s'))))) ? true : false) : true);
// Check if the user isn't bashing within the givin time
if($userandsalt->cmsu_login_attempt < 5 && $timeAllowed === true)
{
// We don't need to have the limit set to 5 for bashing, set it to 0
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_attempt' => 0));
// The user exists and we can carry on the logon procedure
$safepassword = safepassword($this->_password, $userandsalt->cmsu_salt);
$this->db
->select('*')
->where("cmsu_password = '{$safepassword}'")
->from($this->_tablename)
->limit(1);
$query = $this->db->get();
// User found but password is incorrect
// Login attempt +1
if($query->num_rows() <= 0)
{
// Bash attack + 1
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_attempt' => $userandsalt->cmsu_login_attempt+1));
return false;
}
else
{
$result = $query->row();
// Set the userdata to this values
$this->userid = $result->cmsu_id;
// The user is 100% legit so we can set the userdata for it
// Do check if the user isn't disabled
if($result->cmsu_active != 0)
{
$this->setUserdata($result);
return true;
}
else
{
return 'non-active';
}
}
}
else
{
// Bash attack + 1
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_attempt' => $userandsalt->cmsu_login_attempt+1, 'cmsu_login_datetime' => date('Y-m-d H:i:s')));
return 'basher';
}
}
}
?>
public function auth_login()
{
$userandsalt = $this->getUser($this->_username);
// Check if the user if even in the DB
if(!$userandsalt)
{
return false;
}
else
{
// The time since the first attempt;
// - TRUE for time now bigger than last attempt
// - FALSE for time still witin the 5 minutes
$timeAllowed = ($userandsalt->cmsu_login_datetime != '0000-00-00 00:00:00' ? (strtotime($userandsalt->cmsu_login_datetime) >= strtotime(date('Y-m-d H:i:s', strtotime("{$this->_timebash}", strtotime(date('Y-m-d H:i:s'))))) ? true : false) : true);
// Check if the user isn't bashing within the givin time
if($userandsalt->cmsu_login_attempt < 5 && $timeAllowed === true)
{
// We don't need to have the limit set to 5 for bashing, set it to 0
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_attempt' => 0));
// The user exists and we can carry on the logon procedure
$safepassword = safepassword($this->_password, $userandsalt->cmsu_salt);
$this->db
->select('*')
->where("cmsu_password = '{$safepassword}'")
->from($this->_tablename)
->limit(1);
$query = $this->db->get();
// User found but password is incorrect
// Login attempt +1
if($query->num_rows() <= 0)
{
// Bash attack + 1
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_attempt' => $userandsalt->cmsu_login_attempt+1));
return false;
}
else
{
$result = $query->row();
// Set the userdata to this values
$this->userid = $result->cmsu_id;
// The user is 100% legit so we can set the userdata for it
// Do check if the user isn't disabled
if($result->cmsu_active != 0)
{
$this->setUserdata($result);
return true;
}
else
{
return 'non-active';
}
}
}
else
{
// Bash attack + 1
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_attempt' => $userandsalt->cmsu_login_attempt+1, 'cmsu_login_datetime' => date('Y-m-d H:i:s')));
return 'basher';
}
}
}
?>
GOEDE CODE
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
<?php
public function auth_login()
{
$userandsalt = $this->getUser($this->_username);
// Check if the user if even in the DB
if(!$userandsalt)
{
return false;
}
else
{
// Check if user hasn't tried for 5 times + if the time isn't 0000-00-00 00:00:00 or the time givin is int he future
if($userandsalt->cmsu_login_attempt <= 5 || strtotime(date('Y-m-d H:i:s')) > strtotime(date('Y-m-d H:i:s', strtotime("{$this->_timebashextend}", strtotime($userandsalt->cmsu_login_last_datetime)))) || $userandsalt->cmsu_login_last_datetime == '0000-00-00 00:00:00')
{
// The user exists and we can carry on the logon procedure
$safepassword = safepassword($this->_password, $userandsalt->cmsu_salt);
$this->db
->select('*')
->where("cmsu_password = '{$safepassword}'")
->from($this->_tablename)
->limit(1);
$query = $this->db->get();
// User found but password is incorrect
// Login attempt +1
if($query->num_rows() <= 0)
{
// Bash attack + 1
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_attempt' => $userandsalt->cmsu_login_attempt+1));
// User has alreayd tried a couple of times, we're setting a time-out
if($userandsalt->cmsu_login_attempt >= 5)
{
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_last_datetime' => date('Y-m-d H:i:s')));
}
return false;
}
else
{
$result = $query->row();
// Set the userdata to this values
$this->userid = $result->cmsu_id;
// The user is 100% legit so we can set the userdata for it
// Do check if the user isn't disabled
if($result->cmsu_active != 0)
{
// Get the user permissions
$this->acl->buildACL($result->cmsu_id);
// sets the userdata to the whole class
$data = array
(
'sorry-dit-is-prive' => 'maar het werkt wel'
);
// Clear all user-bash data
$this->updateUserBash($this->userid, array('cmsu_login_attempt' => 0, 'cmsu_login_last_datetime' => '0000-00-00 00:00:00'));
// Only do this with other users not admin user
if ($result->cmsu_superadmin != 1)
{
$this->session->set_userdata($data);
$this->logdata->log('De gebruiker ' . $result->cmsu_username . ' heeft ingelogd.', 'login');
}
else
{
$this->session->set_userdata($data);
}
return true;
}
else
{
return 'non-active';
}
}
}
else
{
// Bash attack reset time
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_last_datetime' => date('Y-m-d H:i:s')));
return 'basher';
}
}
}
?>
public function auth_login()
{
$userandsalt = $this->getUser($this->_username);
// Check if the user if even in the DB
if(!$userandsalt)
{
return false;
}
else
{
// Check if user hasn't tried for 5 times + if the time isn't 0000-00-00 00:00:00 or the time givin is int he future
if($userandsalt->cmsu_login_attempt <= 5 || strtotime(date('Y-m-d H:i:s')) > strtotime(date('Y-m-d H:i:s', strtotime("{$this->_timebashextend}", strtotime($userandsalt->cmsu_login_last_datetime)))) || $userandsalt->cmsu_login_last_datetime == '0000-00-00 00:00:00')
{
// The user exists and we can carry on the logon procedure
$safepassword = safepassword($this->_password, $userandsalt->cmsu_salt);
$this->db
->select('*')
->where("cmsu_password = '{$safepassword}'")
->from($this->_tablename)
->limit(1);
$query = $this->db->get();
// User found but password is incorrect
// Login attempt +1
if($query->num_rows() <= 0)
{
// Bash attack + 1
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_attempt' => $userandsalt->cmsu_login_attempt+1));
// User has alreayd tried a couple of times, we're setting a time-out
if($userandsalt->cmsu_login_attempt >= 5)
{
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_last_datetime' => date('Y-m-d H:i:s')));
}
return false;
}
else
{
$result = $query->row();
// Set the userdata to this values
$this->userid = $result->cmsu_id;
// The user is 100% legit so we can set the userdata for it
// Do check if the user isn't disabled
if($result->cmsu_active != 0)
{
// Get the user permissions
$this->acl->buildACL($result->cmsu_id);
// sets the userdata to the whole class
$data = array
(
'sorry-dit-is-prive' => 'maar het werkt wel'
);
// Clear all user-bash data
$this->updateUserBash($this->userid, array('cmsu_login_attempt' => 0, 'cmsu_login_last_datetime' => '0000-00-00 00:00:00'));
// Only do this with other users not admin user
if ($result->cmsu_superadmin != 1)
{
$this->session->set_userdata($data);
$this->logdata->log('De gebruiker ' . $result->cmsu_username . ' heeft ingelogd.', 'login');
}
else
{
$this->session->set_userdata($data);
}
return true;
}
else
{
return 'non-active';
}
}
}
else
{
// Bash attack reset time
$this->updateUserBash($userandsalt->cmsu_id, array('cmsu_login_last_datetime' => date('Y-m-d H:i:s')));
return 'basher';
}
}
}
?>
Toevoeging op 29/09/2014 17:20:00:
Opgelost door mijzelf.
Juiste code staat in de post (2e stuk code)
Er zijn nog geen reacties op dit bericht.