REMOTE ADDR and SQL injections
| Author | Message |
|---|---|
| Kalvin | # Posted one month ago |
 |
Could one make a SQL injection via a $_SERVER['REMOTE_ADDR'] (not XFF)?I imagine that sending a package with a source IP ', admin = '1 would not be very feasible, so I'm open to ideas or suggestions. |
| Ads | |
| DDSR | # Posted two weeks ago |
 |
It seems to me that PHP checks that the entry has the form of an IP (it's still a global). But you can have fun checking this by changing your user agent (with a firefox plugin for example) and seeing if the global variables retranscribe the info as is, or if there are a minimum of tests behind. The answer interests me =) |
| Kalvin | # Posted two weeks ago |
|
Exactly, but I'm not talking about the user agent, nor the x-forwarded-for, which are modifiable during the HTTP request, but of the variable grabbed by REMOTE_ADDR...If the user's IP is recovered by Apache I don't see how to do it, but hey, I ask in case :). |
| DDSR | # Posted one week ago |
|
Yeah I assumed that all variables had the same level of control. Since the IP is also changeable anyway (forged queries). But you can check locally if the variables are tested by injecting whatever you want via the user agent. |
| Kalvin | # Posted yesterday |
|
So I tried some basic forging with scapy, but this bitch tries to resolve a domain name :p. Frankly, since the IP is coded on 32 bits, I don't see how it can be done. Not to mention the routing issues and so on. In short, IMO, it was a stupid question. (as for injections via user-agent and x-forwarded-for, unless I'm mistaken or it has somehow been patched, it's entirely possible) |
| Celeri | # Posted yesterday |
 |
I think PHP gets the remote IP address provided by apache, itself grabbed from the source IP of the TCP connection. So I don't think there is any other solution than classic spoofing. |
| Kegon | # Posted two hours ago |
 |
Spoofing will allow you to change the value of $_SERVER['REMOTE_ADDR'], but you can only send IP addresses. So no SQL injection possible.Otherwise, you can always try to modify the variable. I don't see why PHP would have any control over it if the script wanted to change its value. Once upon a time, when register_globals was enabled by default, some superglobal variables could be modified via the url. You can always try that. If not, you can look for another way to modify this variable. |
| H2Fr Master | # Posted one hour ago |
 |
$ _SERVER is an associative array which is filled, not always exhaustively, by either the information provided by the client or fetched from the server itself (which is the case here).For the IP of the client it would give either something like. $_SERVER = array([...], 'REMOTE_ADDR' => '127.0.0.1', [...]);Or a progressive filling. $_SERVER = array();I don't remember the function that extracts the IP from the network layer, so I put it in hardcoded, but let's postulate that it works pretty much like that And so, we access it using $ _SERVER['REMOTE_ADDR'] as you know it.All that to say three things. 1) Since it's up to the server to grab the IP directly, replacing it with something else on the network layer could lead to routing problems. 2) The problem is that it is the server that will look for this IP from the network layer, and whatever happens it will always have the form that we know (bits, points... in other words an IP). I am virtually certain that there is an IP check with a regular expression or something similar. The best you could do is "spoofing" (and even that would be hard since HTTP requests occur after the TCP handshake). 3) Since $ _SERVER is an associate array, its values can be overwritten manually within the PHP script. |
| Valter | # Posted 37 minutes ago |
 |
The idea is interesting since many webmasters store IP addresses as binaries or other numerical datatypes, and many probably do get it through $_SERVER['REMOTE_ADDR'], but it can't be modified as easy as the user-agent or other variables passed through the HTTP request query. |
| Kalvin | # Posted 5 minutes ago |
|
That's what I thought. As for my idea of sending SQL commands through a packet's source IP... lol. |