Let's take a look at a piece of ASP code first:
Function getIP ()
Dim strIPAddr as string
If Request. ServerVariables ("HTTP_X_FORWARDED_FOR") = "" OR InStr (Request. ServerVariables ("HTTP_X_FORWARDED_FOR"), "unknown")> 0 Then
StrIPAddr = Request. ServerVariables ("REMOTE_ADDR ")
ElseIf InStr (Request. ServerVariables ("HTTP_X_FORWARDED_FOR"), ",")> 0 Then
StrIPAddr = Mid (Request. ServerVariables ("HTTP_X_FORWARDED_FOR"), 1, InStr (Request. ServerVariables ("HTTP_X_FORWARDED_FOR"), ",")-1)
ElseIf InStr (Request. ServerVariables ("HTTP_X_FORWARDED_FOR"), ";")> 0 Then
StrIPAddr = Mid (Request. ServerVariables ("HTTP_X_FORWARDED_FOR"), 1, InStr (Request. ServerVariables ("HTTP_X_FORWARDED_FOR"), ";")-1)
Else
StrIPAddr = Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
End If
GetIP = Trim (Mid (strIPAddr, 1, 30 ))
End Function
The function of this Code is to obtain the real ip address of the client, that is, the real ip address of the client is obtained when the client uses a transparent HTTP proxy; the proxy ip address is returned by the anonymous proxy; and The Client ip address is returned by no proxy.
Think about why the code can get the real ip address from the transparent proxy? Does the non-transparent proxy server send our real ip address? Build a local transparent proxy to capture packets:
GET/test/ipSpoof/test. asp HTTP/1.1
Accept :*/*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; TencentTraveler;. net clr 1.1.4322)
Host: localhost
Connection: Keep-Alive
Cookie: tc_total_cookie_datetime_14734 = 2006-5-29% 2010% 3A45% 3A26; PJBlog25Setting = ViewType = list; ASPSESSIONIDQQQGQMDQ = HLGHFEADMMDPHAFJDHBLBOPD
X-Forwarded-For: 10.0.0.54
Haha, our real ip address was sent out by the server, so if we modify the value of X-Forwarded-For and then submit it ...... Hey, you can forge any "real" ip address.
The figure shows the ip address of the bachelor I forged on a Blog. ^_^
If the "real" ip address is forged, You can do many things. The simplest thing is to comment on any ip address. If the Administrator sees a 123.456.789.000 ip address, you will be depressed.
More advanced, we should be able to break through the ip restrictions, cross-site and SQL injection, of course, we need to look at the specific program code.