PHP使用CURL伪造来源IP与网址

test1.php ?phpob_start();$ch = curl_init();curl_setopt($ch, CURLOPT_URL, "http://www.xxx.cn/test/test2.php");curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-FORWARDED-FOR:1.1.1.1', 'CLIENT-IP:2.2.2.2')); //伪造IPcurl_setopt($ch, CURLOPT_REFE

test1.php

<?php ob_start();
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, "http://www.xxx.cn/test/test2.php");
	curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-FORWARDED-FOR:1.1.1.1', 'CLIENT-IP:2.2.2.2'));  //伪造IP
	curl_setopt($ch, CURLOPT_REFERER, "http://www.oicto.com/ ");   //伪造来源网址
	curl_setopt($ch, CURLOPT_HEADER, 1);
	curl_exec($ch);
	curl_close($ch); 
	$out = ob_get_contents();
	ob_clean();
	echo $out;
?>

test2.php

<?php function getClientIp() {
		if (!empty($_SERVER["HTTP_CLIENT_IP"]))
			$ip = $_SERVER["HTTP_CLIENT_IP"];
		else if (!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
			$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
		else if (!empty($_SERVER["REMOTE_ADDR"]))
			$ip = $_SERVER["REMOTE_ADDR"];
		else
			$ip = "err";
		return $ip;
	}
	echo "IP: " . getClientIp() . "  HTTP_CLIENT_IP-: " . $_SERVER["HTTP_CLIENT_IP"] . "    HTTP_X_FORWARDED_FOR-: " . $_SERVER["HTTP_X_FORWARDED_FOR"] . "    REMOTE_ADDR-: " . $_SERVER["REMOTE_ADDR"] . "   ";
	echo "referer: " . $_SERVER["HTTP_REFERER"];
?>

执行结果：

HTTP/1.1 200 OK
Server: DWS/01.03Z33
Date: Mon, 09 Jun 2014 09:27:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
IP: 2.2.2.2  HTTP_CLIENT_IP-: 2.2.2.2    HTTP_X_FORWARDED_FOR-: 1.1.1.1    REMOTE_ADDR-: 127.0.0.1   referer: http://www.oicto.com/

但是暂时还无法伪造骗过：

$_SERVER["REMOTE_ADDR"]。

所以建议大家记录IP时使用$_SERVER["REMOTE_ADDR"]。

原文地址：PHP使用CURL伪造来源IP与网址, 感谢原作者分享。