mirror of
https://gh.wpcy.net/https://github.com/webguyio/stop-spammers-classic.git
synced 2026-05-27 02:04:00 +08:00
47 lines
No EOL
1.5 KiB
PHP
47 lines
No EOL
1.5 KiB
PHP
<?php
|
|
|
|
if ( !defined( 'ABSPATH' ) ) {
|
|
status_header( 404 );
|
|
exit;
|
|
}
|
|
|
|
class chkexploits {
|
|
public function process( $ip, &$stats = array(), &$options = array(), &$post = array() ) {
|
|
// search the request for eval and SQL statements
|
|
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Exploit detection runs before nonce verification as part of security layer
|
|
$rpost = array_map( 'wp_unslash', $_REQUEST );
|
|
if ( empty( $rpost ) || ! is_array( $rpost ) ) {
|
|
return false;
|
|
}
|
|
foreach ( $rpost as $req ) {
|
|
if ( is_array( $req ) ) {
|
|
// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r -- Converting array to string for exploit pattern matching
|
|
$req = print_r( $req, true );
|
|
}
|
|
$req = urldecode( $req );
|
|
$req = sanitize_text_field( $req );
|
|
$attack_patterns = [
|
|
'eval_base64' => 'eval' . '(base64' . '_decode(',
|
|
'document_write' => 'document.write(string.fromcharcode',
|
|
'sql_injection' => 'union all select'
|
|
];
|
|
foreach ( $attack_patterns as $type => $pattern ) {
|
|
if ( stripos( $req, $pattern ) !== false ) {
|
|
$truncated_req = strlen( $req ) > 24 ? substr( $req, 24 ) : $req;
|
|
$sanitized_req = htmlentities( $truncated_req );
|
|
switch ( $type ) {
|
|
case 'eval_base64':
|
|
return 'Eval Attack: ' . $sanitized_req;
|
|
case 'document_write':
|
|
return 'Offset String Attack: ' . $sanitized_req;
|
|
case 'sql_injection':
|
|
return 'SQL Inject Attack: ' . $sanitized_req;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
}
|
|
|
|
?>
|
