Simple forged X-Forwarded-For-bug warning-the black bar safety net

ID MYHACK58:62201026721
Type myhack58
Reporter 佚名
Modified 2010-04-14T00:00:00


On the forged X-Forwarded-For purposes I will not say more. In the invasion of a PHP station, the GPC is ON,

Character type injection all., while in PHP5, the GPC the default is open. But GPC for$_SERVER without any effect,

So you can fake the$_SERVER to achieve the injection to the purpose.

IP. in php the following code, main is to obtain Client IP:

<? function GetIP() { if (getenv("HTTP_CLIENT_IP")){ echo "getenvHTTP_CLIENT_IP"; $ip = getenv("HTTP_CLIENT_IP"); }else if (getenv("HTTP_X_FORWARDED_FOR")) { $ip = getenv("HTTP_X_FORWARDED_FOR"); echo "getenvHTTP_X_FORWARDED_FOR"; echo "<br>you are right"; }else if (getenv("REMOTE_ADDR")){ echo "getenvREMOTE_ADDR"; $ip = getenv("REMOTE_ADDR"); }else{ echo "unknow"; $ip = "Unknown"; } return $ip; } echo GetIp(); ?& gt;

  1. Direct access to the IP. PHP, return getenvREMOTE_ADDR127. 0. 0. 1

  2. With NC submitted: GET /1.PHP HTTP/1.1 Accept: / Referer: <http://localhost/> Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; . NET CLR 2.0.50727; MAXTHON 2.0) Host: localhost Connection: Keep-Alive Cache-Control: no-cache X-Forwarded-For: Cookie: rtime=0; ltime=1 2 6 9 2 4 9 1 4 0 1 0 9; cnzz_eid=64110124-1269242429-; language=EN-us; PHPSESSID=ae9b14609808b4ff4c5811ad1943c529

Return getenvHTTP_X_FORWARDED_FOR127. 0. 0. 2。

Forged X-Forwarded-For success.

In order to improve the safety program, not a GPC can be solved, we must improve the program's filtering mechanism, because any of the parameters submitted are