3

I heard from some friend that we can spoof our ip address in Curl with HTTP_X_FORWARDED_FOR , so i decide to test it and i create three file one to send Curl :

<?php

$ip = '1.1.1.1';
$url = "http://127.0.0.1/mydir/getdata.php";
$options = array (
    CURLOPT_CONNECTTIMEOUT => 1, // timeout on connect
    CURLOPT_TIMEOUT => 1, // timeout on response
    CURLOPT_MAXREDIRS => 1 ,
    CURLOPT_HTTPHEADER => array("REMOTE_ADDR: $ip", "HTTP_X_FORWARDED_FOR: $ip"),
    CURLOPT_URL => $url ,
    );
$ch = curl_init();
curl_setopt_array ( $ch, $options );
print_r("+");
$result = curl_exec($ch);
curl_close($ch);

?>

one to get and save data :

<?php
    $file = 'ip.txt';
    $ipaddress = $_SERVER["REMOTE_ADDR"] .'\n';
    file_put_contents($file, $ipaddress, FILE_APPEND );
?>

and one to see the ip addresses as you can see 'ip.txt'.

But the problem is all i get in ip.txt is '127.0.0.1' and no spoof ip !!

If this is not working at all , What is the solution ?

Update :

I find out this :

No. libcurl operates on a higher level than so. Besides, faking IP address would imply sending IP packages with a made-up source address, and then you normally get a problem with intercepting the packages sent back as they would then not be routed to you!

Then how can i test a webpage with different IP address ?

I have some experience with programming language python , it can send a packet with spoof ip address but the problem is , it cant fully create TCP three way hand shaking process and the main website understand it.

Community
  • 1
  • 1
  • Setting `REMOTE_ADDR` as header would not have any effect...The header you want should be `X-Forwarded-For: $ip` and in PHP `$_SERVER["HTTP_X_FORWARDED_FOR"]`. Not tested though. – Passerby Jun 04 '13 at 05:34
  • 2
    Reliable TCP spoofing ... for testing your application!? What is the problem you actually want to solve? You are not on the right track. – tripleee Jun 04 '13 at 05:38
  • 1
    @tripleee don't be so scared that some hacked happen here. there is an application which ban ip with some request and i want to test it works with different ip addresses . –  Jun 04 '13 at 06:11
  • 1
    Appalled is more like it. If your guard could be spoofed, you would just have proved that it's useless for its intended purpose. – tripleee Jun 04 '13 at 06:34
  • I am try to find it out that is it possible for programmer to spoof its ip. –  Jun 04 '13 at 06:38
  • To address "What is the problem you actually want to solve?" PCI compliance requires that anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the network. This would be one way to test if it could be done. I don't know of other ways and unfortunately PCI docs do not state how this is achieved. – user1978317 Feb 04 '14 at 19:29
  • The `X-Forwarded-For` is an HTTP Header. It does not spoof the IP. It is used by proxies and other applications to indicate that a request is being performed in behalf of other machine. Your application must check that header to detect the **real** requester. Check some answers at: https://stackoverflow.com/questions/15699101/get-the-client-ip-address-using-php – Jaime Aug 15 '17 at 15:47

0 Answers0