In the past two weeks, I helped a friend’s relative’s child to swipe tickets. Who makes us programmers? During this process, I have also encountered problems such as reinstalling the system, removing dust, shopping on Taobao, stealing QQ, downloading movies, why a certain software cannot be used, etc. If you say no, they will say that your computer skills are very good. No problem can be solved.
Brushing tickets is divided into various restrictions, registered users, verification codes, and IP restrictions. This vote brushing website, not this voting website, has IP restrictions. If we want to break the limit, we need to understand how to obtain the user's IP.
getenv('HTTP_X_FORWARDED_FOR') getenv('HTTP_CLIENT_IP') getenv('REMOTE_ADDR')
HTTP_X_FORWARDED_FOR
This is obtained from the http header, and its format is A ip, B ip, C ip. There are two reasons why this happens
A website uses load balancing due to excessive traffic, so a load balancer is placed in front of the application so that users cannot access it directly.
Users use proxies to access.
The user first uses A IP. Each time a layer of proxy is added, this header will add one more IP at the end, separated by commas, and finally reach the real web container. As long as the information is obtained from the header, it can be forged. Therefore, the A IP used in this case may not be the user's real IP. So in our case, we can only regard the IP connected to the load balancer as the user's real IP. At least this data is correct. But this IP may be the user's proxy IP, not the user's real IP. But this situation is at least better than the user's fake IP.
HTTP_CLIENT_IP
This is also obtained from the header. It was originally intended to record the user’s real IP, but it is rarely used.
REMOTE_ADDR
This is the IP to obtain the connection. Only small websites use this method, which directly exposes the data. The site is a single point without any load balancing. If the upper layer uses pxory, this data is the IP of the proxy.
The evil thing I did was to directly forge the x-forwarder-for data and then deceive them. However, within a few days, this vulnerability was discovered, and then I switched to using a proxy to swipe directly.