1. Web Security Academy
  2. Insecure deserialization
  3. Exploiting
  4. Lab

Lab: Arbitrary object injection in PHP


This lab uses a serialization-based session mechanism and is vulnerable to arbitrary object injection as a result. To solve the lab, create and inject a malicious serialized object to delete the morale.txt file from Carlos's home directory. You will need to obtain source code access to solve this lab.

You can access your own account using the following credentials: wiener:peter