Get the common method of User IP address and _php skill of common security hidden Trouble (Http_x_forwarded_for)

Analysis process
This comes from a number of projects that capture User IP and conduct user action records that are common and often used. General friends, you will see the following universal Get IP address method.

Copy Code code as follows:

function GetIP () {
if (Isset ($_server[' http_x_forwarded_for ')) {
$realip = $_server[' http_x_forwarded_for '];
} elseif (Isset ($_server[' http_client_ip ')) {
$realip = $_server[' http_client_ip '];
} else {
$realip = $_server[' remote_addr '];
}
return $realip;
}

This is a common online acquisition, IP function, with these values to obtain IP, we must first find out that these data from that place passed over.

IP Access Source

1. ' REMOTE_ADDR ' is a remote IP, the default from the TCP connection is, the client's IP. It can be said that it is most accurate to be sure that it will only get directly connected to the server client IP. If the other side through the proxy server online, they found. Gets the proxy server IP.

such as: A->b (proxy)->c, if C through ' remote_addr ', can only get to B's IP, get less than a IP.

In addition: the IP want to tamper will be difficult to implement, in passing know to generate PHP server values, are directly generated.

2. ' Http_x_forwarded_for ', ' http_client_ip ' to get the most original user IP, or proxy IP address, in a large network. Extend the HTTP protocol. The entity header is defined.

http_x_forwarded_for = Clientip,proxy1,proxy2 All IP with "," split. HTTP_CLIENT_IP in the Advanced anonymous proxy, this represents the proxy server IP. Since the HTTP protocol extends an entity header, and the value is trusted for the incoming end, trust the incoming party to enter in the rule format. The following is illustrated by the X_forword_for example, which is normally the process of changing the value.




analyzing bug Risk points:

By just analyzing what we've found, actually these variables, from HTTP requests: X-forword-for fields, and Client-ip fields. The normal proxy server, of course, will pass these values in the RFC specification. But what happens when a user constructs the X-forword-for value directly and sends it to the user?

Figure (1)

Step 2nd, modify the X-forword-fox value, let's look at the result

 

Step three, let's revise it and see what happens?

 

Haha, see the results above, x-forwarded-for not only can set the value themselves, and can set arbitrary format values. This is like having a field that can write any value directly. and the server reads directly, writes to the database, or does the display. It poses a risk, with no filtering detected on the general input inputs, the same as the result of manipulating the data source. and easy to bring concealment.

Conclusion:

GetIP functions above, in addition to the client can arbitrarily fake IP, and can be passed in any format IP. This results in 2 major problems, first, if you set a page, do IP restrictions. Each other can easily modify IP to continuously request the page. Second, if you use this kind of data directly, it will bring SQL registration, Cross-site attack and other vulnerabilities. As for one, you can make restrictions on the business, preferably do not use IP restrictions. For the second, this class can bring huge network risks. We must rectify them. The

Needs to modify the GetIP to get a secure getip function.

This kind of problem, in fact, is very easy to appear, I used this to cheat a lot of camouflage vote. There is its concealment, in fact, as long as we find out, some of the value of the ins and outs. Understanding its rationale, fixing bugs like this will be very easy.

Digression, to do technology, there are three steps, first to be done, will be resolved, then to think about why to do so, the principle of what is, and finally how to do, there are other ways. Ask yourself, you find that the technical truth is getting closer. You'll be more and more handy!

Author: Chengmo qq:8292669