PHP使用CURL伪造来源IP与网址
test1.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<?php ob_start(); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://www.xxx.cn/test/test2.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-FORWARDED-FOR:1.1.1.1', 'CLIENT-IP:2.2.2.2')); //伪造IP curl_setopt($ch, CURLOPT_REFERER, "http://www.oicto.com/ "); //伪造来源网址 curl_setopt($ch, CURLOPT_HEADER, 1); curl_exec($ch); curl_close($ch); $out = ob_get_contents(); ob_clean(); echo $out; ?> |
test2.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
<?php function getClientIp() { if (!empty($_SERVER["HTTP_CLIENT_IP"])) $ip = $_SERVER["HTTP_CLIENT_IP"]; else if (!empty($_SERVER["HTTP_X_FORWARDED_FOR"])) $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; else if (!empty($_SERVER["REMOTE_ADDR"])) $ip = $_SERVER["REMOTE_ADDR"]; else $ip = "err"; return $ip; } echo "<br />IP: " . getClientIp() . " HTTP_CLIENT_IP-: " . $_SERVER["HTTP_CLIENT_IP"] . " HTTP_X_FORWARDED_FOR-: " . $_SERVER["HTTP_X_FORWARDED_FOR"] . " REMOTE_ADDR-: " . $_SERVER["REMOTE_ADDR"] . " "; echo "<br />referer: " . $_SERVER["HTTP_REFERER"]; ?> |
执行结果:
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK Server: DWS/01.03Z33 Date: Mon, 09 Jun 2014 09:27:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding <br />IP: 2.2.2.2 HTTP_CLIENT_IP-: 2.2.2.2 HTTP_X_FORWARDED_FOR-: 1.1.1.1 REMOTE_ADDR-: 127.0.0.1 <br />referer: http://www.oicto.com/ |
但是暂时还无法伪造骗过:
$_SERVER[“REMOTE_ADDR”]。
所以建议大家记录IP时使用$_SERVER[“REMOTE_ADDR”]。
