X-forwarded-for Injection

Requirements:
 
Site that use X-forwarded-
Basic knowledge with SQLi (string based)
Live HTTP headers
 
 
Introduction:
 
X-forwarded-for is often use to get the ip of user even though he uses a proxy.
Example and explanation:
 
 
PHP Code:
Function getip ()
{
If (isset ($ _ SERVER ['HTTP _ X_FORWARDED_FOR '])
{
$ Ip = $ _ SERVER ['HTTP _ X_FORWARDED_FOR '];
}
Else
{
$ Ip = $ _ SERVER ["REMOTE_ADDR"];
}
 
This code create an ip variable with the real ip.
 
 
PHP Code:
If (preg_match ("# ^ [0-9] {1, 3 }\. [0-9] {1, 3 }\. [0-9] {1, 3 }\. [0-9] {1, 3} # ", $ ip ))
{
Return $ ip;
}
Else
{
Return $ _ SERVER ["REMOTE_ADDR"];
}
}
 
This code check if it's real ip but this code is vulnerable, why?
 
Because a regex has a beginning and a end. the beginning delimiter is ^ and the ending delimiter is $, note that the $ is missing. so the regex check only the beginning of the ip. if your ip is 127.0.0.1 the regex will send back true but if your ip is 127.0.01 + whateveryouwant the regex will send back true too.
 
PHP code that is vulnerable:
 
 
PHP Code:
$ Req = mysql_query ("SELECT username, password FROM admin WHERE username = '". SQL ($ _ POST ['username']). "'AND password = '". md5 ($ _ POST ['Password']). "'AND ip = '". getip (). "'");
 
Exploitation:



First open Live HTTP headers then actualize the page:



Note that the injection will be a string based.

Now click on the url then click on replay and add:

Code: www.2cto. comX-forwarded-for: 127.0.0.1


Then add a quote after your ip address and a nice error like that will be displayed:



And now do your injection like string based, the most important thing is that you have to understand that the injection point is your ip in X-forwarded.

Hope you learn something new

Author http://hi.baidu.com/evilrapper/blog/item/518068a2b7b3148ccbefd0c5.html