This lab uses a serialization-based session mechanism and is vulnerable to arbitrary object injection as a result. To solve the lab, create and inject a malicious serialized object to delete the
morale.txt file from Carlos's home directory. You will need to obtain source code access to solve this lab.
You can access your own account using the following credentials:
You can sometimes read source code by appending a tilde (
~) to a filename to retrieve an editor-generated backup file.
/libs/CustomTemplate.php. Right-click on the file and select "Send to Repeater".
~) to the filename in the request line.
CustomTemplateclass contains the
__destruct()magic method. This will invoke the
unlink()method on the
lock_file_pathattribute, which will delete the file on this path.
CustomTemplateobject with the
lock_file_pathattribute set to
/home/carlos/morale.txt. Make sure to use the correct data type labels and length indicators. The final object should look like this:
__destruct()magic method is automatically invoked and will delete Carlos's file.