SQL INJECTION BY X-FORWARDING

Post: #1 SQL injection : X-forwarded-for Requirements : Site that use X-forwarded-for Basic knowledge with SQLi (string based) Live HTTP headers Introduction : X-forwarded-for is often use to get the ip of user even though he uses a proxy. Example and explanation :  PHP Code: function getip() {     if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))     {        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];   }     else     {       $ip = $_SERVER["REMOTE_ADDR"];   }  This code create an ip variable with the real ip. PHP Code:     if (preg_match("#^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#",$ip))     {         return $ip;     }     else     {         return $_SERVER["REMOTE_ADDR"];     } }  This code check if it's real ip but this code is vulnerable, why ? Because a regex has a beginning and a end. The beginning delimiter is ^ and the ending delimiter is $, note that the $ is missing. So the regex check only the beginning of the ip. If your ip is127.0.0.1 the regex will send back true but if your ip is 127.0.01+whateveryouwant the regex will send back true too. PHP code that is vulnerable : PHP Code: $req = mysql_query("SELECT username,password FROM admin WHERE username='".sql($_POST['username'])."' AND password='".md5($_POST['password'])."' AND ip='".getip()."'");  Exploitation: First open Live HTTP headers then actualize the page : Note that the injection will be a string based. Now click on the url then click on replay and add : Code: X-forwarded-for: 127.0.0.1 Then add a quote after your ip address and a nice error like that will be displayed :  And now do your injection like string based, the most important thing is that you have to understand that the injection point is your ip in X-forwarded.