Solution: SQL Injection - Unusual Attack Vectors

Tools Used:
If you create an account and login, you will see this message:
  Welcome, test1 [Last Login IP Address:]
  The Flag Is: [LOCKED! Only users with user_level=1 can see the flag. Your user_level=2 ]
So as per the challenge text, we see our user_level is 2 and we need it to be 1 to see the flag. We also see that our IP is displayed, and we can assume it's stored in the user table based on the challenge we're doing - the challenge text even tells us the SQL Injection entry point is the X-Forwarded-For header.

So let's get to it. We need to make it so we can treat the X-Forwarded-For header like a text input box we can manipulate. If you use Google Chrome, you can download the ModHeader Chrome Extension to do so. Install it, click its icon, and setup your first input form for the X-Forwarded-For header with a string like a single apostrophe to test for a SQL Injection issue, as per the image below:

If you logout and then attempt to log back in, your browser will automatically also send the headers you adjusted in the ModHeader Chrome Extension - so we should see an error message like this, because we broke the SQL query:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' WHERE userid=31' at line 1

Debug Query: UPDATE chal16_users SET lastip='',' WHERE userid=31
The app even prints the query for us to review - so at this point, this has just turned into a normal sql injection that we inject using ModHeader instead of a form on the page or a URL parameter.

Find the correct injection to use to cause it to update your user_level to 1, and correctly resolve the trailing apostrophe in the query so it doesn't error out, and you'll be able to retrieve the flag.