优化系统安全措施

application/admin/common/auth.php

@@ -253,12 +253,12 @@ return array(
 
         '102' => array("show"=>1,'name' => lang('menu/database_sql'), 'controller' => 'database',		'action' => 'sql'),
         '103' => array("show"=>1,'name' => lang('menu/database_rep'), 'controller' => 'database',		'action' => 'rep'),
-        '104' => array("show"=>1,'name' => lang('menu/database_inspect'), 'controller' => 'database',		'action' => 'inspect'),
     )),
     '11' => array('name' => lang('menu/apps'), 'icon' => 'xe621', 'sub' => array(
         '111' => array("show"=>1,'name' => lang('menu/addon'), 'controller' => 'addon',		'action' => 'index', 'param'=>''),
-
         '112' => array("show"=>1,'name' => lang('menu/urlsend'), 'controller' => 'urlsend',		'action' => 'index', 'param'=>''),
+        '113' => array("show"=>1,'name' => lang('menu/safety_file'), 'controller' => 'safety',		'action' => 'file', 'param'=>''),
+        '114' => array("show"=>1,'name' => lang('menu/safety_data'), 'controller' => 'safety',		'action' => 'data', 'param'=>''),
         '11200' => array("show"=>0,'name' => '--推送入口', 'controller' => 'urlsend',		'action' => 'push'),
         '11201' => array("show"=>0,'name' => '--百度主动推送', 'controller' => 'urlsend',		'action' => 'baidu_push'),
         '11202' => array("show"=>0,'name' => '--百度熊掌推送', 'controller' => 'urlsend',		'action' => 'baidu_bear'),

application/admin/controller/Database.php

@@ -298,101 +298,4 @@ class Database extends Base
         $this->assign('list',$list);
         return $this->fetch('admin@database/rep');
     }
-
-    public function inspect()
-    {
-        $param = input();
-        if ($param['ck']) {
-            $pre = config('database.prefix');
-            $schema = Db::query('select * from information_schema.columns where table_schema = ?', [config('database.database')]);
-            $col_list = [];
-            $sql = '';
-            foreach ($schema as $k => $v) {
-                $col_list[$v['TABLE_NAME']][$v['COLUMN_NAME']] = $v;
-            }
-            $tables = ['actor', 'art', 'gbook', 'link', 'topic', 'type', 'vod'];
-            $param['tbi'] = intval($param['tbi']);
-            if ($param['tbi'] >= count($tables)) {
-                mac_echo(lang('admin/database/clear_ok'));
-                die;
-            }
-
-            $check_arr = ["<script","<iframe","{php}","{:"];
-            $rel_val = [
-                [
-                    "/<script[\s\S]*?<\/(.*)>/is",
-                    "/<script[\s\S]*?>/is",
-                ],
-                [
-                    "/<iframe[\s\S]*?<\/(.*)>/is",
-                    "/<iframe[\s\S]*?>/is",
-                ],
-                [
-                    "/{php}[\s\S]*?{\/php}/is",
-                ],
-                [
-                    "/{:[\s\S]*?}/is",
-                ]
-            ];
-            mac_echo('<style type="text/css">body{font-size:12px;color: #333333;line-height:21px;}span{font-weight:bold;color:#FF0000}</style>');
-
-
-            foreach ($col_list as $k1 => $v1) {
-                $pre_tb = str_replace($pre, '', $k1);
-                $si = array_search($pre_tb, $tables);
-                if ($pre_tb !== $tables[$param['tbi']]) {
-                    continue;
-                }
-                mac_echo(lang('admin/database/check_tip1',[$k1]));
-                $where = [];
-                foreach ($v1 as $k2 => $v2) {
-                    if (strpos($v2['DATA_TYPE'], 'int') === false) {
-                        $where[$k2] = ['like', mac_like_arr(join(',', $check_arr)), 'OR'];
-                    }
-                }
-                if (!empty($where)) {
-                    $field = array_keys($where);
-                    $field[] = $tables[$si] . '_id';
-                    $list = Db::name($pre_tb)->field($field)->whereOr($where)->fetchSql(false)->select();
-
-                    mac_echo(lang('admin/database/check_tip2',[count($list)]));
-                    foreach ($list as $k3 => $v3) {
-                        $update = [];
-                        $col_id = $tables[$si] . '_id';
-                        $col_name = $tables[$si] . '_name';
-                        $val_id = $v3[$col_id];;
-                        $val_name = strip_tags($v3[$col_name]);
-                        $ck = false;
-                        $where2 = [];
-                        $where2[$col_id] = $val_id;
-                        foreach ($v3 as $k4 => $v4) {
-                            if ($k4 != $col_id) {
-                                $val = $v4;
-                                foreach ($check_arr as $kk => $vv) {
-                                    foreach($rel_val[$kk] as $k5=>$v5){
-                                        $val = preg_replace($v5, "", $val);
-                                    }
-                                }
-                                if ($val !== $v4) {
-                                    $update[$k4] = $val;
-                                    $ck = true;
-                                }
-                            }
-                        }
-
-                        if ($ck) {
-                            $r = Db::name($pre_tb)->where($where2)->update($update);
-                            mac_echo($val_id . '、' . $val_name . ' ok');
-                        }
-                    }
-                }
-            }
-
-            $param['tbi']++;
-            $url = url('database/inspect') . '?' . http_build_query($param);
-            mac_jump($url, 3);
-            exit;
-        }
-        return $this->fetch('admin@database/inspect');
-    }
 }

application/admin/controller/Safety.php

@@ -0,0 +1,171 @@
+<?php
+namespace app\admin\controller;
+use think\Db;
+
+class Safety extends Base
+{
+
+    var $_files;
+    public function __construct()
+    {
+        parent::__construct();
+    }
+
+    public function index()
+    {
+
+    }
+
+    protected function listDir($dir){
+        if(is_dir($dir)){
+            if ($dh = opendir($dir)) {
+                while (($file= readdir($dh)) !== false){
+                    $tmp = str_replace('//','/',mac_convert_encoding($dir.$file, "UTF-8", "GB2312"));
+                    if((is_dir($dir."/".$file)) && $file!="." && $file!=".."){
+                        $this->listDir($dir."/".$file."/");
+                    } else{
+                        if($file!="." && $file!=".."){
+                            $this->_files[$tmp] = ['md5'=>md5_file($dir.$file)];
+                        }
+                    }
+                }
+                closedir($dh);
+            }
+        }
+    }
+
+    public function file()
+    {
+        $param = input();
+        if($param['ck']){
+            mac_echo('<style type="text/css">body{font-size:12px;color: #333333;line-height:21px;}span{font-weight:bold;color:#FF0000}</style>');
+            $url = base64_decode("aHR0cDovL3VwZGF0ZS5tYWNjbXMubGEv") . "v10/mac_files_".config('version')['code'].'.html';
+            $html = mac_curl_get($url);
+            $json = json_decode($html,true);
+            if(!$json){
+                return $this->error(lang('admin/safety/file_msg1'));
+            }
+
+            $this->listDir('./');
+            if(!is_array($this->_files)){
+                return $this->error(lang('admin/safety/file_msg2'));
+            }
+
+            foreach($this->_files as $k=>$v){
+                $color = '';
+                $msg = 'ok';
+                if(empty($json[$k])){
+                    $color = 'BlueViolet';
+                    $msg = lang('admin/safety/file_msg3');
+                }
+                elseif($v['md5'] != $json[$k]['md5']){
+                    $color = 'red';
+                    $msg = lang('admin/safety/file_msg4');
+                }
+                if($color!='') {
+                    //$this->_files[$k]['jc'] = $color;
+                    mac_echo($k . '---' . "<font color=$color>" . $msg . '</font>');
+                }
+            }
+            exit;
+        }
+        return $this->fetch('admin@safety/file');
+    }
+
+    public function data()
+    {
+        $param = input();
+        if ($param['ck']) {
+            $pre = config('database.prefix');
+            $schema = Db::query('select * from information_schema.columns where table_schema = ?', [config('database.database')]);
+            $col_list = [];
+            $sql = '';
+            foreach ($schema as $k => $v) {
+                $col_list[$v['TABLE_NAME']][$v['COLUMN_NAME']] = $v;
+            }
+            $tables = ['actor', 'art', 'gbook', 'link', 'topic', 'type', 'vod'];
+            $param['tbi'] = intval($param['tbi']);
+            if ($param['tbi'] >= count($tables)) {
+                mac_echo(lang('admin/safety/data_clear_ok'));
+                die;
+            }
+
+            $check_arr = ["<script","<iframe","{php}","{:"];
+            $rel_val = [
+                [
+                    "/<script[\s\S]*?<\/(.*)>/is",
+                    "/<script[\s\S]*?>/is",
+                ],
+                [
+                    "/<iframe[\s\S]*?<\/(.*)>/is",
+                    "/<iframe[\s\S]*?>/is",
+                ],
+                [
+                    "/{php}[\s\S]*?{\/php}/is",
+                ],
+                [
+                    "/{:[\s\S]*?}/is",
+                ]
+            ];
+            mac_echo('<style type="text/css">body{font-size:12px;color: #333333;line-height:21px;}span{font-weight:bold;color:#FF0000}</style>');
+
+
+            foreach ($col_list as $k1 => $v1) {
+                $pre_tb = str_replace($pre, '', $k1);
+                $si = array_search($pre_tb, $tables);
+                if ($pre_tb !== $tables[$param['tbi']]) {
+                    continue;
+                }
+                mac_echo(lang('admin/safety/data_check_tip1',[$k1]));
+                $where = [];
+                foreach ($v1 as $k2 => $v2) {
+                    if (strpos($v2['DATA_TYPE'], 'int') === false) {
+                        $where[$k2] = ['like', mac_like_arr(join(',', $check_arr)), 'OR'];
+                    }
+                }
+                if (!empty($where)) {
+                    $field = array_keys($where);
+                    $field[] = $tables[$si] . '_id';
+                    $list = Db::name($pre_tb)->field($field)->whereOr($where)->fetchSql(false)->select();
+
+                    mac_echo(lang('admin/safety/data_check_tip2',[count($list)]));
+                    foreach ($list as $k3 => $v3) {
+                        $update = [];
+                        $col_id = $tables[$si] . '_id';
+                        $col_name = $tables[$si] . '_name';
+                        $val_id = $v3[$col_id];;
+                        $val_name = strip_tags($v3[$col_name]);
+                        $ck = false;
+                        $where2 = [];
+                        $where2[$col_id] = $val_id;
+                        foreach ($v3 as $k4 => $v4) {
+                            if ($k4 != $col_id) {
+                                $val = $v4;
+                                foreach ($check_arr as $kk => $vv) {
+                                    foreach($rel_val[$kk] as $k5=>$v5){
+                                        $val = preg_replace($v5, "", $val);
+                                    }
+                                }
+                                if ($val !== $v4) {
+                                    $update[$k4] = $val;
+                                    $ck = true;
+                                }
+                            }
+                        }
+
+                        if ($ck) {
+                            $r = Db::name($pre_tb)->where($where2)->update($update);
+                            mac_echo($val_id . '、' . $val_name . ' ok');
+                        }
+                    }
+                }
+            }
+
+            $param['tbi']++;
+            $url = url('safety/data') . '?' . http_build_query($param);
+            mac_jump($url, 3);
+            exit;
+        }
+        return $this->fetch('admin@safety/data');
+    }
+}

application/admin/view/safety/data.html

@@ -0,0 +1,39 @@
+{include file="../../../application/admin/view/public/head" /}
+
+<div class="page-container">
+    <form class="layui-form layui-form-pane" method="get" action="">
+        <input name="ck" value="1" type="hidden">
+        <div class="layui-tab">
+            <ul class="layui-tab-title">
+                <li class="layui-this">{:lang('admin/safety/data_inspect')}</li>
+            </ul>
+            <div class="layui-tab-content">
+                <div class="layui-tab-item layui-show">
+
+                    <div class="layui-input-block" >
+                        <blockquote class="layui-elem-quote layui-quote-nm">
+                            {:lang('admin/safety/data_inspect_tip')}
+                        </blockquote>
+                    </div>
+                </div>
+            </div>
+        </div>
+        <div class="layui-form-item center">
+            <div class="layui-input-block">
+                <button type="submit" class="layui-btn" >{:lang('admin/safety/exec')}</button>
+            </div>
+        </div>
+    </form>
+</div>
+
+{include file="../../../application/admin/view/public/foot" /}
+<script type="text/javascript">
+    $(function(){
+        $('.layui-btn').click(function(){
+            layer.msg("{:lang('wait_submit')}");
+        });
+    });
+</script>
+
+</body>
+</html>

application/admin/view/database/inspect.html → application/admin/view/safety/file.html

@@ -5,14 +5,13 @@
         <input name="ck" value="1" type="hidden">
         <div class="layui-tab">
             <ul class="layui-tab-title">
-                <li class="layui-this">{:lang('admin/database/inspect')}</li>
+                <li class="layui-this">{:lang('admin/safety/file_inspect')}</li>
             </ul>
             <div class="layui-tab-content">
                 <div class="layui-tab-item layui-show">
-
                     <div class="layui-input-block" >
                         <blockquote class="layui-elem-quote layui-quote-nm">
-                            {:lang('admin/database/inspect_tip')}
+                            {:lang('admin/safety/file_inspect_tip')}
                         </blockquote>
                     </div>
                 </div>
@@ -20,7 +19,7 @@
         </div>
         <div class="layui-form-item center">
             <div class="layui-input-block">
-                <button type="submit" class="layui-btn" >{:lang('admin/database/exec')}</button>
+                <button type="submit" class="layui-btn" >{:lang('admin/safety/exec')}</button>
             </div>
         </div>
     </form>
@@ -28,7 +27,11 @@
 
 {include file="../../../application/admin/view/public/foot" /}
 <script type="text/javascript">
-
+    $(function(){
+       $('.layui-btn').click(function(){
+           layer.msg("{:lang('wait_submit')}");
+       });
+    });
 </script>
 
 </body>

application/extra/version.php

@@ -3,7 +3,7 @@ return array (
     'name' => '苹果CMS内容管理系统',
     'copyright' => 'MacCMS',
     'url' => '//github.com/magicblack',
-    'code' => '2022.1000.3007',
+    'code' => '2022.1000.3008',
     'license' => '开源版',
 );
 ?>

application/lang/zh-cn.php

@@ -7,7 +7,7 @@
 *内部处理key：开头 model/、controller/、只在模块内使用
 */
 return [
-    'lang_ver'=>'3000+',
+    'lang_ver'=>'3008+',
     'hello'  => '欢迎使用',
     'maccms_name'=>'苹果CMS-v10',
     'maccms_copyright'=>'© MacCMS All Rights Reserved.',
@@ -583,7 +583,8 @@ https://www.baidu.com/123.jpg
     'menu/apps'=>'应用',
     'menu/addon'=>'应用市场',
     'menu/urlsend'=>'URL推送',
-
+    'menu/safety_file'=>'文件安全检测',
+    'menu/safety_data'=>'数据挂马检测',
 
     'model/admin/update_login_err'=>'更新登录信息失败',
     'model/admin/login_ok'=>'登录成功',
@@ -1707,17 +1708,30 @@ https://www.baidu.com/123.jpg
                         <br>
                         5.清空数据ID重新从1开始
                         TRUNCATE {pre}vod',
-    'admin/database/exec'=>'确认执行',
-    'admin/database/inspect'=>'挂马检测',
-    'admin/database/inspect_tip'=>'<strong>挂马检测3.0版本</strong><br>
+
+    'admin/safety/data_inspect'=>'挂马检测',
+    'admin/safety/data_inspect_tip'=>'<strong>挂马检测3.0版本</strong><br>
                             1，将对分类表，视频表，文章表，会员表等表结构进行检查。<br>
                             2，检测包含script,iframe等特殊字符串。<br>
                             3，将自动清除挂马代码。<br>
                             4，不能保证100%清除，如还有问题请自行进入phpmyadmin或其他数据库管理工具里清除。<br>
                             5，建议清理多次，直到没有出现问题数据。',
-    'admin/database/clear_ok'=>'清理结束,请再次执行,以免有漏掉的数据',
-    'admin/database/check_tip1'=>'开始检测%s表...',
-    'admin/database/check_tip2'=>'共检测到%s条危险数据...',
+    'admin/safety/data_clear_ok'=>'清理结束,请再次执行,以免有漏掉的数据',
+    'admin/safety/data_check_tip1'=>'开始检测%s表...',
+    'admin/safety/data_check_tip2'=>'共检测到%s条危险数据...',
+
+    'admin/safety/exec'=>'确认执行',
+    'admin/safety/file_inspect'=>'文件安全检测',
+    'admin/safety/file_inspect_tip'=>'<strong>安全检测3.0版本</strong><br>
+                            1，将对网站内所有文件进行比对筛选进行检查。<br>
+                            2，将原版程序包内自带文件将比对md5罗列出。<br>
+                            3，将原版程序包内没有的新增文件罗列出。<br>
+                            4，不能保证100%正确，如还有问题请到官网github提报。<br>
+                            5，建议多次检测，详细检查每个罗列出的文件。',
+    'admin/safety/file_msg1'=>'获取官方文件数据失败，请重试',
+    'admin/safety/file_msg2'=>'获取本地文件列表失败，请重试',
+    'admin/safety/file_msg3'=>'新增文件',
+    'admin/safety/file_msg4'=>'与原版有差异',
 
     'admin/link/title'=>'友情链接管理',
     'admin/link/text_link'=>'文字链接',

application/lang/zh-tw.php

@@ -7,7 +7,7 @@
 *內部處理key：開頭 model/、controller/、只在模塊內使用
 */
 return [
-    'lang_ver'=>'3000+',
+    'lang_ver'=>'3008+',
     'hello'  => '歡迎使用',
     'maccms_name'=>'蘋果CMS-v10',
     'maccms_copyright'=>'© MacCMS All Rights Reserved.',
@@ -583,7 +583,8 @@ https://www.baidu.com/123.jpg
     'menu/apps'=>'應用',
     'menu/addon'=>'應用市場',
     'menu/urlsend'=>'URL推送',
-
+    'menu/safety_file'=>'文件安全檢測',
+    'menu/safety_data'=>'數據掛馬檢測',
 
     'model/admin/update_login_err'=>'更新登錄信息失敗',
     'model/admin/login_ok'=>'登錄成功',
@@ -1707,17 +1708,30 @@ https://www.baidu.com/123.jpg
                         <br>
                         5.清空數據ID重新從1開始
                         TRUNCATE {pre}vod',
-    'admin/database/exec'=>'確認執行',
-    'admin/database/inspect'=>'掛馬檢測',
-    'admin/database/inspect_tip'=>'<strong>掛馬檢測3.0版本</strong><br>
+
+    'admin/safety/data_inspect'=>'掛馬檢測',
+    'admin/safety/data_inspect_tip'=>'<strong>掛馬檢測3.0版本</strong><br>
                             1，將對分類表，視頻表，文章表，會員表等表結構進行檢查。<br>
                             2，檢測包含script,iframe等特殊字符串。<br>
                             3，將自動清除掛馬代碼。<br>
                             4，不能保證100%清除，如還有問題請自行進入phpmyadmin或其他數據庫管理工具裏清除。<br>
                             5，建議清理多次，直到沒有出現問題數據。',
-    'admin/database/clear_ok'=>'清理結束,請再次執行,以免有漏掉的數據',
-    'admin/database/check_tip1'=>'開始檢測%s表...',
-    'admin/database/check_tip2'=>'共檢測到%s條危險數據...',
+    'admin/safety/data_clear_ok'=>'清理結束,請再次執行,以免有漏掉的數據',
+    'admin/safety/data_check_tip1'=>'開始檢測%s表...',
+    'admin/safety/data_check_tip2'=>'共檢測到%s條危險數據...',
+
+    'admin/safety/exec'=>'確認執行',
+    'admin/safety/file_inspect'=>'文件安全檢測',
+    'admin/safety/file_inspect_tip'=>'<strong>安全檢測3.0版本</strong><br>
+                            1，將對網站內所有文件進行比對篩選進行檢查。<br>
+                            2，將原版程序包內自帶文件將比對md5羅列出。<br>
+                            3，將原版程序包內沒有的新增文件羅列出。<br>
+                            4，不能保證100%正確，如還有問題請到官網github提報。<br>
+                            5，建議多次檢測，詳細檢查每個羅列出的文件。',
+    'admin/safety/file_msg1'=>'獲取官方文件數據失敗，請重試',
+    'admin/safety/file_msg2'=>'獲取本地文件列表失敗，請重試',
+    'admin/safety/file_msg3'=>'新增文件',
+    'admin/safety/file_msg4'=>'與原版有差異',
 
     'admin/link/title'=>'友情鏈接管理',
     'admin/link/text_link'=>'文字鏈接',