My personal blog, source address: http://www.woniubi.cn/get_client_ip/
In the past two weeks, I helped a friend’s relative’s child to brush tickets. Who makes us programmers? During this process, I also encountered problems such as reinstalling the system, removing dust, shopping on Taobao, stealing QQ, downloading movies, why a certain software cannot be used, etc. If you say you can't, they will say that your computer skills are very good. No problem can be solved.
Brushing tickets is divided into various restrictions, registered users, verification codes, and IP restrictions. This vote brushing website, not this voting website, has IP restrictions. If we want to break the limit, we need to understand how to obtain the user's IP.
1:getenv('HTTP_X_FORWARDED_FOR')
2:getenv('HTTP_CLIENT_IP')
3:getenv('REMOTE_ADDR')
Copy after login
HTTP_X_FORWARDED_FOR
This is obtained from the http header, its format is A ip, B ip, C ip. There are two reasons for this situation
- A website uses load balancing due to excessive traffic, so a load balancer is placed in front of the application so that users cannot access it directly.
- Users use proxies to access.
The user first uses A IP. Each time a layer of proxy is added, this header will add one more IP at the end, separated by commas, and finally reach the real web container. As long as the information is obtained from the header, it can be forged. Therefore, the A IP used in this case may not be the user's real IP. So in our case, we can only regard the IP connected to the load balancer as the user's real IP. At least this data is correct. But this IP may be the user's proxy IP, not the user's real IP. But this situation is at least better than the user's fake IP.
HTTP_CLIENT_IP
This is also obtained from the header. It was originally intended to record the user’s real IP, but it is rarely used.
REMOTE_ADDR
This is the IP to obtain the connection. Only small websites use this method, which directly exposes the data. The site is a single point without any load balancing. If the upper layer uses pxory, this data is the IP of the proxy.
What I did was to directly forge the x-forwarder-for data and then deceive them. However, within a few days, this vulnerability was discovered, and then I switched to using a proxy to swipe directly.
The above introduces how to obtain the client IP from swiping tickets, including the content. I hope it will be helpful to friends who are interested in PHP tutorials.