• 注册
  • 关于作者
    个人说明:他太懒了,什么都没有写
    关注 0 粉丝 0 喜欢 0 内容 238
    雅安
    聊天 送礼
    • 查看作者
    • HTTP_CLIENT_IP,HTTP_X_FORWARDED_FOR是否可以伪造?

      REMOTE_ADDR 是你的客户端跟你的服务器“握手”时候的IP。如果使用了“匿名代理”,REMOTE_ADDR将显示代理服务器的IP。
      HTTP_CLIENT_IP 是代理服务器发送的HTTP头。如果是“超级匿名代理”,则返回none值。同样,REMOTE_ADDR也会被替换为这个代理服务器的IP。
      $_SERVER['REMOTE_ADDR']; //访问端(有可能是用户,有可能是代理的)IP
      $_SERVER['HTTP_CLIENT_IP']; //代理端的(有可能存在,可伪造)
      $_SERVER['HTTP_X_FORWARDED_FOR']; //用户是在哪个IP使用的代理(有可能存在,也可以伪造)

      下面是测试代码:

      服务端获取IP地址 http://ip.itlearner.com/ 其代码如下:

      $s_onlineip = getenv(‘HTTP_CLIENT_IP’);
      echo “HTTP_CLIENT_IP:”.$s_onlineip.”<br/>\n”;
      $s_onlineip = getenv(‘HTTP_X_FORWARDED_FOR’);
      echo “HTTP_X_FORWARDED_FOR:”.$s_onlineip.”<br/>\n”;
      $s_onlineip = getenv(‘REMOTE_ADDR’);
      echo “REMOTE_ADDR:”.$s_onlineip.”<br/>\n”;
      $s_onlineip = $_SERVER['REMOTE_ADDR'];
      echo “\$_SERVER['REMOTE_ADDR']:”.$s_onlineip.”<br/>\n”;

      客户端代码:
      伪造IP测试:

      $url = ‘http://ip.itlearner.com/’;
      $data_string = ‘test=test’;
      $URL_Info = parse_url($url);
      $request = ”;
      if (!isset($URL_Info["port"]))
      $URL_Info["port"]=80;
      $request.=”POST “.$URL_Info["path"].” HTTP/1.1\n”;
      $request.=”Host: “.$URL_Info["host"].”\n”;
      $request.=”Referer: “.$URL_Info["host"].”\n”;
      $request.=”Content-type: application/x-www-form-urlencoded\n”;
      $request.=”X-Forwarded-For:192.168.1.4\n”;//HTTP_X_FORWARDED_FOR的值
      $request.=”client_ip:192.168.1.5\n”;//HTTP_CLIENT_IP的值
      $request.=”Content-length: “.strlen($data_string).”\n”;
      $request.=”Connection: close\n”;
      $request.=”\n”;
      $request.=$data_string.”\n”;

      Function eregi is deprecated (解决方法)

      PHP

      $fp = fsockopen($URL_Info["host"], $URL_Info["port"]);
      fputs($fp, $request);
      $result = ”;
      while(!feof($fp)) {
      $result .= fgets($fp, 1024);
      }
      fclose($fp);
      echo $result;

      输出:

      HTTP_CLIENT_IP:192.168.1.5
      HTTP_X_FORWARDED_FOR:192.168.1.4
      REMOTE_ADDR:127.0.0.1
      $_SERVER['REMOTE_ADDR']:127.0.0.1

      代理IP测试:

      $cUrl = curl_init();
      curl_setopt($cUrl, CURLOPT_URL, $url);
      curl_setopt($cUrl, CURLOPT_RETURNTRANSFER, 1);
      curl_setopt($cUrl, CURLOPT_HEADER, 1);
      curl_setopt($cUrl, CURLOPT_USERAGENT, “Mozilla/99.99″);
      //curl_setopt($cUrl, CURLOPT_TIMEOUT, 10);
      curl_setopt($cUrl, CURLOPT_PROXY, ’125.77.194.103:80′);
      $c = curl_exec($cUrl);
      curl_close($cUrl);
      echo $c;

      输出:

      HTTP_CLIENT_IP:
      HTTP_X_FORWARDED_FOR:
      REMOTE_ADDR:125.77.194.103
      $_SERVER['REMOTE_ADDR']:125.77.194.103

      Function eregi is deprecated (解决方法)

      PHP

    • 0
    • 0
    • 0
    • 80
    • 单栏布局 侧栏位置: