This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How can a server find real client IP address?
I need to let my users find very quickly and easily their local (LAN) ip.
Our network has a squid proxy so all the users sit behind it (and this is a problem for internal ip detection: all php scrips I've tried are able - at best - to detect proxy's ip and not client's).
Any kind of language working on a LAMP server is welcome...
Also a simple EXE file on Windows could work as "plan b" but I couldn't find anything working.
Following #German Arlington's answer, I think your best bet is configuring Squid to send the X-Forwarded-For header along with HTTP requests:
If set to "on", Squid will append your client's IP address in the HTTP
requests it forwards. By default it looks like:
X-Forwarded-For: 192.1.2.3
Then you will be able to read the ip address in PHP via apache_request_headers()
<?php
$headers = apache_request_headers();
echo $headers["X-Forwarded-For"];
?>
Consider java applet loaded in browser.
Since java uses its own virtual environment, it will be able to show local Ip address to the clients.
Good way to start i guess -> http://reglos.de/myaddress/MyAddress.html
And for Java to obtain IP: How can i check System IP Address/Host Name in Java?
This way you wont have to change current environment. Otherwise it will probably involve squid reconfiguration.
From the comments you have posted i can see that the purpose of presenting the IP to the client is to make them read it to you and allow you to connect remotely. You have also mentioned that running an app on a client side is an option. This immediately pushed me towards BGInfo http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx - especially if the clients operating system is Windows.
The easy Java aplet to put on a page:
function myIP(){ var vi="uses java to get the users local ip number"
var yip2=java.net.InetAddress.getLocalHost();
var yip=yip2.getHostAddress();
return yip;
}//end myIP
alert("your machine's local network IP is "+ myIP())
You may be interested in
http://roshanbh.com.np/2007/12/getting-real-ip-address-in-php.html
and generally in http headers that should contain the information you are looking for
Related
I'm creating a website which needs do some data gathering anonymously. I ran an Ubuntu server with Apache, and normally when I want to run my script, target websites and servers can determine my server real IP. Is there any solution to hide Apache server IP and use random IPs per each request?
The target website will generally always be able to see your real IP address; you'd have to make each request from a different server, or via a different network connection.
Depending on why and how you're doing this, from where and to whom, it's likely to be an effective way to get banned, sued and/or prosecuted for a DDoS attack (or some other kind of attack).
Please don't do this.
I would try to explain in diagrams
[REST SERVER] <--------> [JAVASCRIPT BASED WEBSITE] <--------> [USER]
192.168.0.2 192.168.0.3 192.168.0.123
How can I get the IP of the website that consumes the REST server instead of the USER's IP.
I tried using $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_REFERRER'] but they both return the IP of the user.
Is it possible in the web? I'm using PHP for my REST server.
I'll assume here that you mean the website is hosted on 192.168.0.3. This means the user will be downloading the Javascript and HTML data from said server, and then execute it locally on 192.168.0.123. That Javascript is then going to make remote calls to the REST service from that local IP.
You want to know how to get the IP of the server that hosted the Javascript/HTML files before the client downloaded them, presumably in a reliable fashion. And the answer is that this is not possible. Because your actual schema looks like this:
[JAVASCRIPT BASED WEBSITE] <--------> [USER]
192.168.0.3 192.168.0.123
^
|
[REST SERVER] <--------------------------+
192.168.0.2
You cannot do this securely. You will have to make the javascript pass this to the server. And since javascript is run client side, this can be spoofed.
And even then, javascript does not have native functions to get you the IP address of the website. It can give you the domain name though. And then in, for example, PHP you can resolve this domain name to an IP address. Or have the javascript based web server give its IP address directly along. For example with the help of PHP, you can do in javascript: var myIP = '<?php echo $_SERVER['SERVER_ADDR']; ?>';
As a sidenote, the Origin header (can be spoofed) is ment for this purpose but a secure workaround would be some kind of handshake between JS server and REST server.
Javascript based webpage requests a token code via serverside, you put this token code into the javascript and send it to the rest server.
The rest server verifies the token code and then you know for sure where the javascript resides.
This is the only method of verifying the origin, it is not possible via plain IP addresses.
How do I get the Mac address of the user of my site (server). Welcome any tools, methods and techniques, all language. Thank you.
Short answer is: you can't. Even assuming you could pull a MAC address from the request, the user goes through many network devices before hitting your site so how would you know which of these the MAC address came from?
Assuming your site is on the Internet (as opposed to a LAN), you can't.
That information is not exposed to client side JavaScript and isn't routed over the Internet.
Assuming your visitors come over the internet and not simply the local network: You don't.
It is not part of the underlying protocol to transport that information more than a hop on the network.
By having the client send you the machine's MAC addresses to you. You'd have to execute some code on the client capable of collecting that information, and have it include that data in the communications with the server.
For example, you could have linux clients run /sbin/ifconfig and collect the MAC addresses from the output. You didn't specify what protocol you are using to communicate, so I can't offer advice on how to send the data once you've collected it.
Why do you want that? The machine might not even have any MAC addresses, or it might have several.
I am trying to find the IP address using as3 in adobe Flash professional cs5.5 and I think it is not possible from AS3 without using any server side technology(maybe I am wrong).
But I don't know any server side technology like PHP..etc.
Can anyone provide an example?
you can get the Local Machine using JavaScript. and also you can develop server side script which will retirve your local machine IP address from request header.
But as per your comments on your question I think you required your local machine IP. it will be get using javascript. But this IP address is not gateway or server side displayed one. Because in home or some fire wall / proxy user has different IP to access internet and local mahcine ip will be LAN IP.
and Javascript code you can call using the External Interface.
Please search for Javascript and ExternInterface code example you will find out many code example through google.
There's a simple and clean way to dynamically get the domain name, but not the IP, of the server hosting the SWF file.
You can use the domain property of the LocalConnection class.
try:
import flash.net.LocalConnection;
var lc:LocalConnection = new LocalConnection();
trace(lc.domain); // Outputs domain name of the hosting server, or `localhost` if ran locally.
Is it possible to fake or hijack a content of $_SERVER['REMOTE_ADDR'] variable?
I would like to fake a request with:
$_SERVER['REMOTE_ADDR']='127.0.0.1';
How could I do that with PHP? Can CURL do that somehow?
I assume that you mean faking it remotely. The short answer is yes you can. The long answer about how easy it is depends on how you want to fake it.
If you don't care about receiving a response, it's as trivial as opening a raw socket to the destination and forging the source IP address. I'm not sure if it's really easy to do in PHP since all of PHP's socket implementations are at or above the TCP level. But I'm sure it's possible. Now, since you're not in control of the network, the response will not go back to you. So that means that you cannot (reliably anyway) create a TCP connection via a trivial forged TCP header (since the syn-ack does prevent this by requiring two-way communication).
However, if you can compromise the gateway the IP is off of, you can do whatever you'd like. So if you compromise the wifi router a computer is connected to, you can pretend to be that computer, and the server won't tell the difference. If you compromise the ISP's outbound router, you can (in theory at least) pretend to be the computer and the server won't tell the difference.
For some more info, see these following links:
ServerFault Question
Symantec Article
Linux Security Article
However, you will only be able to forge the 127.0.0.1 loopback address under TCP if you actually compromise the local machine/server. And at that point does it really matter?
Important
If you're using a framework to access this information, be absolutely sure that it does not check the X-HTTP-FORWARDED-FOR header! Otherwise it's trivial to fake the IP address. For example, if you're using Zend Framework's Zend_Controller_Request_Http::getClientIp method, be absolutely sure that you pass false as the parameter! Otherwise someone just needs to send an HTTP header: X-Http-Forwarded-For: 127.0.0.1 and they now appear to be local! This is one case where using a framework without understanding how it works in the backend can really be bad...
Edit: Relevant
I wrote a blog post recently about how I stumbled across a vulnerability in StackOverflow's application. It's very relevant here, since it exploits a very similar mechanism to what this question is looking for (although the circumstances around it are somewhat narrow):
How I Hacked StackOverflow
The remote address is not something added out of courtesy, it's used in the IP protocol to route packages, so if you send a package with a fake address, you will not receive a response, and since you're talking about a HTTP request, which is delivered over a TCP connection, which takes several IP packets (and the matching responses) to set up:
No, that's impossible (except of course by actually sending the request from the same host via the loopback interface).
Apache populates $_SERVER['REMOTE_ADDR'] from a TCP socket that it uses to communicate with your browser. It is IMPOSSIBLE to influence this variable over the open internet because of the three-way-handshake. If the client and the server is on a broadcast network, like wifi, then you can sniff the wire and complete the handshake.
If you browse via a proxy, $_SERVER['REMOTE_ADDR'] may be set to the proxy's IP address rather than the end user's.
There are other headers which you can use instead in this case: This page gives a function which checks all the possibilities and provides the address most likely to be the end user's:
http://roshanbh.com.np/2007/12/getting-real-ip-address-in-php.html
However if the user is proxying using a badly configured proxy, or a malicious one, or one designed to anonymise the end user, then you won't be able to guarantee any of the headers other than REMOTE_ADDR (which would only lead you as far as the proxy).
If your end user is browsing via HTTPS, then REMOTE_ADDR will always be his IP address; you can't use proxy forwarding via HTTPS. Therefore, the one way to be absolutely sure of his address is to get him to open your site in HTTPS.
You can overwrite any item in the $_SERVER array, including the one you mention, in your server; of course, not in someone else's.
However, it won't change your computer's IP address.
REMOTE_ADDR
The IP address from which the user is viewing the current page.
You can request script using proxy, etc. to change IP address but you cannot set there any text you want.
That is a variable set by apache or whatever server you're using. You cannot spoof it.
You may run $_SERVER['REMOTE_ADDR']='127.0.0.1'; at the beginning of the scripts, but i doubt thats what you're trying to do