SSRF External Service Interaction for Find Real IP CloudFlare and Leads to SQL Injection

My reaction when I find a case like this

Hello, here I just want to tell about my experience finding a real IP using CloudFlare through “SSRF External Interaction” and getting a form login for Admin and there is a SQL Injection bug.

Little Story

Previously I had also found SQLi vulnerabilities on this website but this time it felt a little interesting for me to write up, and to get SSRF up to SQLi I got it only for a few hours and not for days.

Ahhh I almost forgot, for the address of this website and some sensitive data I will delete / censor.


Steps to Reproduce

  1. After doing a little recon I get the endpoint (/api/resize.php?image=)

And when I use the SQLmap tool there is info that the parameter (image) may have a “File Inclusion” vulnerability, OKkkkkk here I don’t know if this is an RFI vuln? or LFI?

I tried several times regarding the LFI payload but it didn’t work, and when I tried RFI it didn’t work either :’(

2. when I want to try RFI which I will remote from my local ip but get response “Error 524”

3. Hmmm, next I will use “Burp Collaborator Client” to try SSRF External Service Interaction

Found Real IP

Annnndddd niiicceee, I got an HTTP request from an IP address that I don’t know where it came from…

4. When I open the IP address and there is a display like the website I’m testing, to make sure this is a real address or not (CloudFlare) you can use the “dig” command or via

Using “dig” I found only 2 IP addresses starting with 104 and 172, what I got was 103

By using


5. If it’s still not enough, you can use the Wappalyzer extension and check the “CDN” section

Within the protection of CloudFlare & No CloudFlare protection

6. After I was sure I got the original IP from the website, I did a little recon using dirsearch and found the (/dashboard/) folder which contains the XAMPP display and has PHPinfo open


7. And I also get the login page, used a bit of payload for SQLi bypass login but that didn’t work

8. There is a “Forgot Password” menu, I enter the original email and then I activate Intercept Burp to retrieve the request data

9. I added a single quote at the end of my email and got an error

10. i saved the request and then i run SQLMap and then i got what i was looking for!!!

I Love ittttt❤❤




No One Knows Who I Am

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cryptocurrency Scammers Target Binance Users With Phishing Emails, Seek Google Authenticator Backup…


Integrating apps with Google Smart Lock (part 1)

Tokenomy July Highlights — Tokenomy

Network-Centric Warfare: Conflict in the Information Age

Modern Application Security — Good and Bad News

Panda Dao announces presale on Unicrypt.Network

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Caesar Evan Santoso

Caesar Evan Santoso

No One Knows Who I Am

More from Medium

C.S.T.I Lead To Account Takeover $$$

Hunting for Bugs in File Upload Feature:

Session Fixation

The Tale of a Click leading to RCE