General method of obtaining user IP address and common security risks (HTTP_X_FORWARDED_FOR)_PHP tutorial

Analysis process
This comes from some projects. It is common and frequently used to obtain user IP and record user operation behavior. Most friends will see the following general method of obtaining an IP address.

Copy code The code is as follows:

function getIP() {
if (isset($_SERVER[ 'HTTP_X_FORWARDED_FOR'])) {
$realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$realip = $_SERVER['HTTP_CLIENT_IP '];
} else {
$realip = $_SERVER['REMOTE_ADDR'];
}
return $realip;
}

这个是网上常见获取，ip函数，用这些值获取IP,我们首先要弄清楚，这些数据是从那个地方传过来的。

IP获取来源

1.'REMOTE_ADDR' 是远端IP，默认来自tcp 连接是，客户端的Ip。可以说，它最准确，确定是，只会得到直接连服务器客户端IP。如果对方通过代理服务器上网，就发现。获取到的是代理服务器IP了。

如：a->b(proxy)->c ,如果c 通过'REMOTE_ADDR' ，只能获取到b的IP,获取不到a的IP了。

另外:该IP想篡改将很难实现，在传递知道生成php server值，都是直接生成的。

2.'HTTP_X_FORWARDED_FOR'，'HTTP_CLIENT_IP' 为了能在大型网络中，获取到最原始用户IP，或者代理IP地址。对HTTp协议进行扩展。定义了实体头。

HTTP_X_FORWARDED_FOR = clientip,proxy1,proxy2 所有IP用”,”分割。 HTTP_CLIENT_IP 在高级匿名代理中，这个代表了代理服务器IP。既然是http协议扩展一个实体头，并且这个值对于传入端是信任的，信任传入方按照规则格式输入的。以下以x_forword_for例子加以说明，正常情况下，这个值变化过程。




分析Bug风险点：

通过刚刚分析我们发现，其实这些变量，来自http请求的：x-forword-for字段，以及client-ip字段。 正常代理服务器，当然会按rfc规范来传入这些值。但是，当一个用户直接构造该x-forword-for值，发送给用户用户，那将会怎么样呢？

图（1）

第2步，修改x-forword-fox值，我们看看结果

 

第三步，我们再修改下看看会怎么样？

Haha, did you see the above result? x-forwarded-for can not only set the value by itself, but also can set the value in any format. In this way, it is like having a field that can write any value. And the server directly reads, or writes to the database, or displays. It will bring danger, just like operating the data source without any filtering and testing on the input. And it is easy to bring concealment.

Conclusion:

The above getip function, except that the client can forge IP at will, and can pass in IP in any format. This will cause two major problems. First, if you set up a certain page and impose IP restrictions. The other party can easily change the IP and continuously request the page. Secondly, if you use this kind of data directly, it will bring vulnerabilities such as SQL registration and cross-site attacks. As for the first one, you can set restrictions on the business, and it is best not to use IP restrictions. For the second one, this type can bring huge cyber risks. We must correct it.

Getip needs to be modified to obtain a safe getip function.

Such problems are actually very easy to occur. I have used this to defraud a large number of fake votes in the past. It has its hiddenness. In fact, as long as we understand the ins and outs of certain values. Once you understand how it works, it will be very easy to fix this type of bug.

Off topic, there are three steps to do technology. First, you must be able to do it and solve it; secondly, you must think about why you want to do it, what are the reasons and principles; finally, how to do it, and are there any other methods? Ask yourself more and you will find that you are getting closer to the technical truth. You will become more and more comfortable in doing things!

Author: chengmo QQ:8292669

http://www.bkjia.com/PHPjc/327104.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/327104.htmlTechArticleThe analysis process comes from some projects. It is common and frequently used to obtain user IP and record user operation behavior. of. Most friends will see the following general method of obtaining an IP address...