如何伪造$ _SERVER ['REMOTE_ADDR']变量? [英] How to fake $_SERVER['REMOTE_ADDR'] variable?
问题描述
是否可以伪造或劫持$_SERVER['REMOTE_ADDR']变量的内容?
Is it possible to fake or hijack a content of $_SERVER['REMOTE_ADDR'] variable?
我想用以下方法伪造请求:
I would like to fake a request with:
$_SERVER['REMOTE_ADDR']='127.0.0.1';
如何用PHP做到这一点? CURL可以这样做吗?
How could I do that with PHP? Can CURL do that somehow?
推荐答案
我假设您的意思是远程伪造它.简短的答案是可以.关于它多么容易的长答案取决于您要伪造它的方式.
I assume that you mean faking it remotely. The short answer is yes you can. The long answer about how easy it is depends on how you want to fake it.
如果您不希望收到响应,那么它就像打开原始套接字到目标IP地址并伪造源IP地址一样简单.我不确定在PHP中是否真的很容易,因为所有PHP的套接字实现都在TCP级别或更高级别.但我确信这是可能的.现在,由于您不受网络控制,因此响应将不会返回给您.因此,这意味着您(无论如何)都无法(通过可靠的方式)通过伪造的TCP标头创建TCP连接(因为syn-ack确实通过要求双向通信来防止这种情况发生).
If you don't care about receiving a response, it's as trivial as opening a raw socket to the destination and forging the source IP address. I'm not sure if it's really easy to do in PHP since all of PHP's socket implementations are at or above the TCP level. But I'm sure it's possible. Now, since you're not in control of the network, the response will not go back to you. So that means that you cannot (reliably anyway) create a TCP connection via a trivial forged TCP header (since the syn-ack does prevent this by requiring two-way communication).
但是,如果您可以破坏IP断开的网关,则可以执行任何操作.因此,如果您破坏了与计算机连接的wifi路由器,则可以装作是那台计算机,而服务器不会告诉您区别所在.如果您破坏了ISP的出站路由器,则可以(至少在理论上)假装是计算机,而服务器则无法分辨出差异.
However, if you can compromise the gateway the IP is off of, you can do whatever you'd like. So if you compromise the wifi router a computer is connected to, you can pretend to be that computer, and the server won't tell the difference. If you compromise the ISP's outbound router, you can (in theory at least) pretend to be the computer and the server won't tell the difference.
有关更多信息,请参见以下链接:
For some more info, see these following links:
- ServerFault Question
- Symantec Article
- Linux Security Article
但是,如果您实际上损害了本地计算机/服务器,则只能在TCP下伪造127.0.0.1环回地址.那时真的重要吗?
However, you will only be able to forge the 127.0.0.1 loopback address under TCP if you actually compromise the local machine/server. And at that point does it really matter?
如果您正在使用框架来访问此信息,请绝对确定,它不会检查X-HTTP-FORWARDED-FOR标头!否则,伪造IP地址很简单.例如,如果您使用的是 Zend Framework的Zend_Controller_Request_Http::getClientIp 方法,请绝对确保将false作为参数传递!否则,某人只需要发送一个HTTP标头:X-Http-Forwarded-For: 127.0.0.1,它们现在看起来是本地的!这是一种情况,在不了解后端如何工作的情况下使用框架确实很糟糕……
If you're using a framework to access this information, be absolutely sure that it does not check the X-HTTP-FORWARDED-FOR header! Otherwise it's trivial to fake the IP address. For example, if you're using Zend Framework's Zend_Controller_Request_Http::getClientIp method, be absolutely sure that you pass false as the parameter! Otherwise someone just needs to send an HTTP header: X-Http-Forwarded-For: 127.0.0.1 and they now appear to be local! This is one case where using a framework without understanding how it works in the backend can really be bad...
我最近写了一篇博客文章,讲述了我是如何偶然发现StackOverflow应用程序中的一个漏洞的.这在这里非常相关,因为它采用了与该问题正在寻找的机制非常相似的机制(尽管周围的情况有些狭窄):
I wrote a blog post recently about how I stumbled across a vulnerability in StackOverflow's application. It's very relevant here, since it exploits a very similar mechanism to what this question is looking for (although the circumstances around it are somewhat narrow):
这篇关于如何伪造$ _SERVER ['REMOTE_ADDR']变量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
