Skip to main content
nikos101
nikos101
Inspiring
March 9, 2009
Question

#CGI.REMOTE_ADDR# sql injection?

  • March 9, 2009
  • 21 replies
  • 6950 views
Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?
This topic has been closed for replies.

21 replies

nikos101
nikos101Author
Inspiring
March 11, 2009
Wow just sat down to read this thread, its gonna take me a while to get my head rounds all this.

Thanks very much so far :)
N
Newsgroup_User
Inspiring
March 11, 2009
>> the beer is flowing...

> sorry... way too many mohitos... :) )

Man. I would not want to be your head tomorrow.

--
Adam
K
Kronin555
Participating Frequently
March 11, 2009
Funny. One of the posts in that thread states:
"There are some CGI-exploits that can spoof $_SERVER['REMOTE_ADDR'] but only for coldfusion, and coldfusion isn't that popular [used, preferred] on the majority of the internet websites."

which is exactly what we're discussing here. Outside of doing packet-level spoofing (very non-trivial, and whoever was doing the spoofing would _have_ to be able to get the response in order to complete the handshake, which means he'd have something on at least the same subnet as the IP he was spoofing), or having a different web server front-end your coldfusion server (in which case you have bigger problems), or the hacker having access to your server (again, in which case you have bigger problems), I don't see a way to spoof CGI.REMOTE_ADDR. As has already been said, any HTTP_xxxx values are suspect and very trivial to spoof.
N
Newsgroup_User
Inspiring
March 11, 2009
i shall investigate this when i am more sober than right now... :)
if i can dig out the link i found before i shall post it the same instant...

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/
N
Newsgroup_User
Inspiring
March 11, 2009
Azadi wrote:
> eeeeeeeeeeeeeeeeehhhhhhhhhhhhhhhhhhhhhhhhhhhhh!
> must be them b*&%&^%ds!
> here it is:
> http://www.blackhatworld.com/blackhat-seo/black-hat-seo/34772-simple-method-fake-your-ip-address-without-proxy.html

Well, that method sends a bogus "X-Forwarded-For" header
("HTTP-X-Forwarded-For" in CF) but REMOTE_ADDR would still contain the
IP address of the computer that sent the request (it's just that some
application choose to trust input that should not be trusted and assume
the data in X-Forwarded-For is safe).

--
Mack
N
Newsgroup_User
Inspiring
March 11, 2009
eeeeeeeeeeeeeeeeehhhhhhhhhhhhhhhhhhhhhhhhhhhhh!
must be them b*&%&^%ds!
here it is:
http://www.blackhatworld.com/blackhat-seo/black-hat-seo/34772-simple-method-fake-your-ip-address-without-proxy.html

(just checked my tap and there are 8 of them already on it...
thanks [cf] it's _MY_ bar!)


Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/
N
Newsgroup_User
Inspiring
March 11, 2009
Azadi wrote:
> here's one that was still buried in my ff history... is that any good?
> )i can't possibly tell now, sorry... way too many mohitos... :) )
>
Must be the mohitos, you did not post a link! ;-)
N
Newsgroup_User
Inspiring
March 11, 2009
here's one that was still buried in my ff history... is that any good?
)i can't possibly tell now, sorry... way too many mohitos... :) )

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/
N
Newsgroup_User
Inspiring
March 11, 2009
let me try and dig it up... one sec...


Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/
N
Newsgroup_User
Inspiring
March 11, 2009
Azadi wrote:
> apparently, on a server running linux/bsd it is pretty trivial to tinker
> with tcp and fake remote_addr... NOT on a shared linux server, but
> dedicated linux servers (or barebones) are a dime a dozen now, compared
> to before...

Do you have a link ? I'm genuinely interested in this.

We might be talking about slightly different things here. You might be
able to fake remote_addr when connecting to a web server on the same
machine as the attacker. But if you're trying to connect to a remote web
server from a server running linux/bsd you're bumping into TCP and it's
3-way handshake which means spoofing over (unless you're a gateway
machine and you're spoofing an IP from your own network).

--
Mack
N
Newsgroup_User
Inspiring
March 11, 2009
apparently, on a server running linux/bsd it is pretty trivial to tinker
with tcp and fake remote_addr... NOT on a shared linux server, but
dedicated linux servers (or barebones) are a dime a dozen now, compared
to before...

(disclaimer: this is all from just browsing mailing lists'
archives/forums/blackhat wikis... not that i have any experience
myself... but seen a lot of posts with full perl/python scripts to
fake/spoof remote_addr on a server running linux/bsd....)

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/
Show more replies
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices