Use COOKIE to hijack all DISCUZ versions

DISCUZ and many forums cannot perform session hijacking because the session and IP address are bound. The main session authentication mechanism of DISCUZ is as follows:

/Inlude/common. inc. php
// An important part of row 136th verification session is to query the SID from the sessions table. An important condition is $ onlineip. If the IP information in the $ onlineip and sessions table cannot match, the session saved in the sessions table cannot be created.
---------------------------
See the following code:
If ($ sid ){
If ($ discuz_uid ){
$ Query = $ db-> query ("SELECT s. sid, s. styleid, s. groupid = 6 AS ipbanned, s. pageviews AS spageviews, s. lastolupdate, s. seccode, $ membertablefields
FROM {$ tablepre} sessions s, {$ tablepre} members m
WHERE m. uid = s. uid AND s. sid = $ sid AND CONCAT_WS (., s. ip1, s. ip2, s. ip3, s. ip4) = $ onlineip AND m. uid = $ discuz_uid
AND m. password = $ discuz_pw AND m. secques = $ discuz_secques ");

// Line 79 $ onlineip is first taken from the two HTTP headers HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR.
------------------------------------------------------------------------------
If (getenv (HTTP_CLIENT_IP) & strcasecmp (getenv (HTTP_CLIENT_IP), unknown )){
$ Onlineip = getenv (HTTP_CLIENT_IP );
} Elseif (getenv (HTTP_X_FORWARDED_FOR) & strcasecmp (getenv (HTTP_X_FORWARDED_FOR), unknown )){
$ Onlineip = getenv (HTTP_X_FORWARDED_FOR );
} Elseif (getenv (REMOTE_ADDR) & strcasecmp (getenv (REMOTE_ADDR), unknown )){
$ Onlineip = getenv (REMOTE_ADDR );
} Elseif (isset ($ _ SERVER [REMOTE_ADDR]) & $ _ SERVER [REMOTE_ADDR] & strcasecmp ($ _ SERVER [REMOTE_ADDR], 'unknown ')){
$ Onlineip = $ _ SERVER [REMOTE_ADDR];
}

PS: If we forge the HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR HTTP headers, we can bypass IP binding.

Hey, of course we can hijack it after simple deception...

Of course, this is a bad thing !!!