Using PHP/JavaScript link to get information about site visitor

↘锁芯ラ 提交于 2019-12-04 17:58:59
Tomáš Zato

PHP:

Data retrieval

The basic redirection can be done very easily (in PHP, before any output):

header("Location: http://....");

However if you send this, his browser will not load any javascript or HTML on your fake page. You'll still be able to collect the following from $_SERVER superglobal variable:

  • HTTP_USER_AGENT - whatever his browser sends as it's identification
  • REMOTE_ADDR - his IP (or the server proxy IP)

Here's whole $_SERVER variable dump.

Data saving

It's quite easy to save data in PHP. If you're lazy, you can just use file_put_contents:

file_put_contents("info.txt", print_f($_SERVER, true));

The true in print_f causes the function to return string, instead of printing it.

Javascript

Data retrieval

Javascript can allow you to access information about browser too. But any personal information can only be retrieved after user explicitly allows it.

The redirection then can be done using:

window.location.href = "http://...";

So this is what you can get:

Without permission

With permission

With user permission, really interesting stuff can be retrieved:

Data saving

This is where it get's complicated: you need time to send data from user's browser to your server. Possible solutions:

Synchronous request

Normally, when loading/sending data, javascript sends the request, assigns function to be performed when it finishes and ends:

//Example of loading next page with AJAX
var req = new XMLHttpRequest();
req.open("POST", "http://...");
//This function will be started after the request finishes
req.onload = function() {
    showPage(this.responseText);
}
//The request starts and the javascript thread ends
req.send("page=2");

Now if you redirect user somewhere else, the request may be stopped. However, you can set the request to be blocking/synchronous (or you can redirect after the request finishes, which may be suspitious)

//Example of sending user info synchronously
var req = new XMLHttpRequest();
req.open("POST", "http://...", false);
//Let getuserInfo be function that creates the data
req.send(getUserInfo());
//Redirect when done
window.location = "http://...";

In the second case, the browser may become unresponsive, which is actually less suspicious than getting stuck on a blank page.

navigator.sendBeacon

Read on MDN. Doesn't work in all browsers.

Psychology

The solution I'd go for would not go through computer hacking but social engineering. I would play his game and eventually discover who he is (provided I know the person in real life). Every person has a behavioral and expressional characteristic. The fact they are pretending they are somebody else does not matter as much as it may seem.
In fact, any computer security is best broken using the computer user. The same goes for any other kind of security or secrecy.

You can get some information like IP and User Agent and write it to a file.

<?php
$fp = fopen("Output.txt","a");
$visitorIP       =   addslashes((getenv(HTTP_X_FORWARDED_FOR)) ? getenv(HTTP_X_FORWARDED_FOR) : getenv(REMOTE_ADDR));
$visitorBrowser =   addslashes(( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : 'Browser undetectable.');
$User_Info = "IP: " . $visitorIP . "\t\tUser Agent: " . $visitorBrowser . "\n";
fwrite($fp, $User_Info);
header( 'Location: http://REDIRECTURLHERE' ) ;
?>

The results will be in a file called Output.txt. From here you can have it re

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!