- REMOTE_ADDR:是和服務器直接"握手"的IP。
- HTTP_CLIENT_IP:代理服務器添加的 HTTP 頭,存放客戶端真實IP。
- HTTP_X_FORWARDED_FOR:代理服務器添加的HTTP頭,存放真實ip和各級代理ip。格式為X-Forwarded-For: client1, proxy1, proxy2。
http請求頭可以偽造,不僅代理可以,客戶端也可以。
REMOTE_ADDR也可以偽造,通過偽造tcp握手包,Response將會發送給被偽造的IP,所以這個層面的偽造ip沒有意義。
phpcms中的獲取ip函數:
1 function ip() { 2 if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) { 3 $ip = getenv('HTTP_CLIENT_IP'); 4 } elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) { 5 $ip = getenv('HTTP_X_FORWARDED_FOR'); 6 } elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) { 7 $ip = getenv('REMOTE_ADDR'); 8 } elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) { 9 $ip = $_SERVER['REMOTE_ADDR']; 10 } 11 return preg_match ( '/[\d\.]{7,15}/', $ip, $matches ) ? $matches [0] : ''; 12 }
它首先取 HTTP_CLIENT_IP ,然后取 HTTP_X_FORWARDED_FOR,上述都取不到的情況下才去取 REMOTE_ADDR。可前兩個都能在客戶端偽造。所以這個次序不行。
來看一看如何偽造。
ip_request.php:
1 <?php 2 $headers['CLIENT-IP'] = '2.2.2.2'; 3 $headers['X-FORWARDED-FOR'] = '3.3.3.3,8.8.8.8'; 4 $headerArr = array(); 5 foreach( $headers as $n => $v ) { 6 $headerArr[] = $n .':' . $v; 7 } 8 ob_start(); 9 $ch = curl_init(); 10 curl_setopt ($ch, CURLOPT_URL, "http://www.my.com/ip_response.php"); 11 curl_setopt ($ch, CURLOPT_HTTPHEADER , $headerArr ); //構造IP 12 curl_setopt ($ch, CURLOPT_REFERER, "http://www.163.com/ "); //構造來路 13 curl_setopt( $ch, CURLOPT_HEADER, 1); 14 curl_setopt($ch, CURLOPT_POST, 1);//post方式發送數據 15 curl_exec($ch); 16 curl_close ($ch); 17 $out = ob_get_contents(); 18 ob_clean(); 19 echo $out; 20 ?>
ip_response.php
1 <?php 2 print_r($_SERVER); 3 ?>
輸出結果:
1 HTTP/1.1 200 OK 2 Date: Wed, 08 Mar 2017 02:57:08 GMT 3 Server: Apache/2.4.9 (Win32) PHP/5.5.12 4 X-Powered-By: PHP/5.5.12 5 Content-Length: 2028 6 Connection: close 7 Content-Type: text/html 8 9 Array 10 ( 11 [HTTP_HOST] => www.my.com 12 [HTTP_ACCEPT] => */* 13 [HTTP_REFERER] => http://www.163.com/ 14 [HTTP_CLIENT_IP] => 2.2.2.2 15 [HTTP_X_FORWARDED_FOR] => 3.3.3.3,8.8.8.8 16 [CONTENT_TYPE] => application/x-www-form-urlencoded 17 [HTTP_EXPECT] => 100-continue 18 [PATH] => C:\Program Files\Java\jdk1.8.0_31\bin;C:\Program Files\Java\jdk1.8.0_31\jre\bin;C:\Program Files\Java\jdk1.8.0_31\bin;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\Java\bin;C:\Program Files (x86)\MacType;F:\Program Files\TortoiseSVN\bin;C:\Python27\;C:\Program Files\nodejs\;C:\WINDOWS\system32\config\systemprofile\.dnx\bin;C:\Program Files\Microsoft DNX\Dnvm\;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;E:\WAMP\bin\php\php5.5.12;C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps 19 [SystemRoot] => C:\WINDOWS 20 [COMSPEC] => C:\WINDOWS\system32\cmd.exe 21 [PATHEXT] => .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC 22 [WINDIR] => C:\WINDOWS 23 [SERVER_SIGNATURE] => <address>Apache/2.4.9 (Win32) PHP/5.5.12 Server at www.my.com Port 80</address> 24 25 [SERVER_SOFTWARE] => Apache/2.4.9 (Win32) PHP/5.5.12 26 [SERVER_NAME] => www.my.com 27 [SERVER_ADDR] => 127.0.0.1 28 [SERVER_PORT] => 80 29 [REMOTE_ADDR] => 127.0.0.1 30 [DOCUMENT_ROOT] => E:/WAMP/www/my 31 [REQUEST_SCHEME] => http 32 [CONTEXT_PREFIX] => 33 [CONTEXT_DOCUMENT_ROOT] => E:/WAMP/www/my 34 [SERVER_ADMIN] => admin@example.com 35 [SCRIPT_FILENAME] => E:/WAMP/www/my/ip_response.php 36 [REMOTE_PORT] => 59461 37 [GATEWAY_INTERFACE] => CGI/1.1 38 [SERVER_PROTOCOL] => HTTP/1.1 39 [REQUEST_METHOD] => POST 40 [QUERY_STRING] => 41 [REQUEST_URI] => /ip_response.php 42 [SCRIPT_NAME] => /ip_response.php 43 [PHP_SELF] => /ip_response.php 44 [REQUEST_TIME_FLOAT] => 1488941828.317 45 [REQUEST_TIME] => 1488941828 46 )
phpcms已跪。