HTTP_CLIENT_IP:可通过http头伪造
HTTP_X_FORWARDED_FOR:可通过http头伪造
REMOTE_ADDR:可能是用户真实IP也可能是代理IP
服务端获取IP地址 http: // www.taoyiz.com/util/ip 其代码如下:
$s_onlineip = getenv(‘HTTP_CLIENT_IP’);
echo “HTTP_CLIENT_IP:”. $s_onlineip.”<br/>\n”;
$s_onlineip = getenv(‘HTTP_X_FORWARDED_FOR’);
echo “HTTP_X_FORWARDED_FOR:”. $s_onlineip.”<br/>\n”;
$s_onlineip = getenv(‘REMOTE_ADDR’);
echo “REMOTE_ADDR:”. $s_onlineip.”<br/>\n”;
$s_onlineip = $_SERVER['REMOTE_ADDR'];
echo “\ $_SERVER['REMOTE_ADDR']:”. $s_onlineip.”<br/>\n”;
客户端代码:
伪造IP测试:
$url = ‘http: // www.taoyiz.com/util/ip’;
$data_string = ‘test=test’;
$URL_Info = parse_url( $url);
$request = ”;
if (! isset( $URL_Info["port"]))
$URL_Info["port"]=80;
$request.=”POST “. $URL_Info["path"].” HTTP/1.1\n”;
$request.=”Host: “. $URL_Info["host"].”\n”;
$request.=”Referer: “. $URL_Info["host"].”\n”;
$request.=”Content-type: application/x-www-form-urlencoded\n”;
$request.=”X-Forwarded- For:192.168.1.4\n”; // HTTP_X_FORWARDED_FOR的值
$request.=”client_ip:192.168.1.5\n”; // HTTP_CLIENT_IP的值
$request.=”Content-length: “. strlen( $data_string).”\n”;
$request.=”Connection: close\n”;
$request.=”\n”;
$request.= $data_string.”\n”;
$fp = fsockopen( $URL_Info["host"], $URL_Info["port"]);
fputs( $fp, $request);
$result = ”;
while(! feof( $fp)) {
$result .= fgets( $fp, 1024);
}
fclose( $fp);
echo $result;
输出:
HTTP_CLIENT_IP:192.168.1.5
HTTP_X_FORWARDED_FOR:192.168.1.4
REMOTE_ADDR:127.0.0.1
$_SERVER['REMOTE_ADDR']:127.0.0.1
代理IP测试:
$cUrl = curl_init();
curl_setopt( $cUrl, CURLOPT_URL, $url);
curl_setopt( $cUrl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt( $cUrl, CURLOPT_HEADER, 1);
curl_setopt( $cUrl, CURLOPT_USERAGENT, “Mozilla/99.99″);
// curl_setopt($cUrl, CURLOPT_TIMEOUT, 10);
curl_setopt( $cUrl, CURLOPT_PROXY, ’125.77.194.103:80′);
$c = curl_exec( $cUrl);
curl_close( $cUrl);
echo $c;
输出:
HTTP_CLIENT_IP:
HTTP_X_FORWARDED_FOR:
REMOTE_ADDR:125.77.194.103
$_SERVER['REMOTE_ADDR']:125.77.194.103
HTTP_X_FORWARDED_FOR:可通过http头伪造
REMOTE_ADDR:可能是用户真实IP也可能是代理IP
服务端获取IP地址 http: // www.taoyiz.com/util/ip 其代码如下:
$s_onlineip = getenv(‘HTTP_CLIENT_IP’);
echo “HTTP_CLIENT_IP:”. $s_onlineip.”<br/>\n”;
$s_onlineip = getenv(‘HTTP_X_FORWARDED_FOR’);
echo “HTTP_X_FORWARDED_FOR:”. $s_onlineip.”<br/>\n”;
$s_onlineip = getenv(‘REMOTE_ADDR’);
echo “REMOTE_ADDR:”. $s_onlineip.”<br/>\n”;
$s_onlineip = $_SERVER['REMOTE_ADDR'];
echo “\ $_SERVER['REMOTE_ADDR']:”. $s_onlineip.”<br/>\n”;
客户端代码:
伪造IP测试:
$url = ‘http: // www.taoyiz.com/util/ip’;
$data_string = ‘test=test’;
$URL_Info = parse_url( $url);
$request = ”;
if (! isset( $URL_Info["port"]))
$URL_Info["port"]=80;
$request.=”POST “. $URL_Info["path"].” HTTP/1.1\n”;
$request.=”Host: “. $URL_Info["host"].”\n”;
$request.=”Referer: “. $URL_Info["host"].”\n”;
$request.=”Content-type: application/x-www-form-urlencoded\n”;
$request.=”X-Forwarded- For:192.168.1.4\n”; // HTTP_X_FORWARDED_FOR的值
$request.=”client_ip:192.168.1.5\n”; // HTTP_CLIENT_IP的值
$request.=”Content-length: “. strlen( $data_string).”\n”;
$request.=”Connection: close\n”;
$request.=”\n”;
$request.= $data_string.”\n”;
$fp = fsockopen( $URL_Info["host"], $URL_Info["port"]);
fputs( $fp, $request);
$result = ”;
while(! feof( $fp)) {
$result .= fgets( $fp, 1024);
}
fclose( $fp);
echo $result;
输出:
HTTP_CLIENT_IP:192.168.1.5
HTTP_X_FORWARDED_FOR:192.168.1.4
REMOTE_ADDR:127.0.0.1
$_SERVER['REMOTE_ADDR']:127.0.0.1
代理IP测试:
$cUrl = curl_init();
curl_setopt( $cUrl, CURLOPT_URL, $url);
curl_setopt( $cUrl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt( $cUrl, CURLOPT_HEADER, 1);
curl_setopt( $cUrl, CURLOPT_USERAGENT, “Mozilla/99.99″);
// curl_setopt($cUrl, CURLOPT_TIMEOUT, 10);
curl_setopt( $cUrl, CURLOPT_PROXY, ’125.77.194.103:80′);
$c = curl_exec( $cUrl);
curl_close( $cUrl);
echo $c;
输出:
HTTP_CLIENT_IP:
HTTP_X_FORWARDED_FOR:
REMOTE_ADDR:125.77.194.103
$_SERVER['REMOTE_ADDR']:125.77.194.103
如果通过客户端ip来进行访问控制:
public
function login() {
// 设定IP段登录
if( getenv("HTTP_CLIENT_IP")) {
$onlineip = getenv('HTTP_CLIENT_IP');
}
elseif( getenv('HTTP_X_FORWARDED_FOR')){
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif( getenv('REMOTE_ADDR')){
$onlineip = getenv('REMOTE_ADDR');
}
else{
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
}
// echo $onlineip;
$adminip = $onlineip;
$arrayip = array('117.121.48.*','127.0.0.*'); // ip段
$ipregexp = implode('|', str_replace( array('*','.'), array('\d+','\.') , $arrayip) );
$allow = preg_match("/^(". $ipregexp.")$/", $adminip);
if ( $allow != 1) {
showmessage(L('你的ip地址不在被允许的范围内!'),'?m=admin&c=index&a=login',6000);
// 设定IP段登录
if( getenv("HTTP_CLIENT_IP")) {
$onlineip = getenv('HTTP_CLIENT_IP');
}
elseif( getenv('HTTP_X_FORWARDED_FOR')){
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif( getenv('REMOTE_ADDR')){
$onlineip = getenv('REMOTE_ADDR');
}
else{
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
}
// echo $onlineip;
$adminip = $onlineip;
$arrayip = array('117.121.48.*','127.0.0.*'); // ip段
$ipregexp = implode('|', str_replace( array('*','.'), array('\d+','\.') , $arrayip) );
$allow = preg_match("/^(". $ipregexp.")$/", $adminip);
if ( $allow != 1) {
showmessage(L('你的ip地址不在被允许的范围内!'),'?m=admin&c=index&a=login',6000);
}
3115
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
