Star Cereal 2

Spoofable client IP address, SQL injection vulnerability


Ha, that was sneaky! But I've patched the login so that people like you can't gain access anymore. Stop hacking us!

The flag is in the flag format: STC{...}

Author: zeyu2001


In index.php, notice the following comment

Star Cereal page by zeyu2001

    1) URGENT - fix login vulnerability by disallowing external logins (done)
    2) Integrate admin console currently hosted at

Point 1) is referring to the previous challenge. Point 2) is interesting.

If we go to login.php, we get a 403 Forbidden Page:

<p>Only admins allowed to login.</p>

Spoofable Client IP

We could deduce that perhaps the server filters requests by the client IP.

A common security misconfiguration in implementing such a filter is the use of the X-Forwarded-For header. This header is used for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.

Note that HTTP request headers can be easily spoofed. Knowing that one of the internal IP addresses is, we may want to check the subnet for valid client IPs.

If we do a scan (e.g. using Burp Suite Intruder) for the subnet with the X-Forwarded-For header, we would find that if we set:


then we would see the login page.

Burp Suite Intruder Scan

First, set the payload position as follows:

Then, configure the payload as a list of numbers from 1 to 255.

Run the attack. Sort the output by either the Status or Length columns. We will find that X-Forwarded-For: gives us a 200 OK response code, and shows us the login page.

SQL Injection

Once we have access to the login page, notice the login form fields.

<form action="/login.php" method="post">
	<div class="form-group">
		<label for="email">Email address</label>
		<input type="email" class="form-control" id="email" name="email" placeholder="Enter email">
	<div class="form-group">
		<label for="pass">Password</label>
		<input type="pass" class="form-control" id="pass" name="pass" placeholder="Enter password">
	<button type="submit" class="btn btn-primary">Submit</button>

We need to submit an email and a pass parameter. We can exploit SQL injection to get the flag.

POST /login.php HTTP/1.1
Host: localhost:55043


Content-Type: application/x-www-form-urlencoded
Content-Length: 51

email=test&pass=test' UNION SELECT 'test', 'test';#

The flag is STC{w0w_you'r3_r3lly_a_l33t_h4x0r_bc1d4611be52117c9a8bb99bf572d6a7}.

Last updated