Join us on May 15 for a live demo of how Burp Suite DAST solves real-world security challenges.            Register Now
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Arbitrary object injection in PHP

PRACTITIONER

This lab uses a serialization-based session mechanism and is vulnerable to arbitrary object injection as a result. To solve the lab, create and inject a malicious serialized object to delete the morale.txt file from Carlos's home directory. You will need to obtain source code access to solve this lab.

You can log in to your own account using the following credentials: wiener:peter

Hint

You can sometimes read source code by appending a tilde (~) to a filename to retrieve an editor-generated backup file.

ACCESS THE LAB

Solution

  1. Log in to your own account and notice the session cookie contains a serialized PHP object.
  2. From the site map, notice that the website references the file /libs/CustomTemplate.php. Right-click on the file and select "Send to Repeater".
  3. In Burp Repeater, notice that you can read the source code by appending a tilde (~) to the filename in the request line.
  4. In the source code, notice the CustomTemplate class contains the __destruct() magic method. This will invoke the unlink() method on the lock_file_path attribute, which will delete the file on this path.

  5. In Burp Decoder, use the correct syntax for serialized PHP data to create a CustomTemplate object with the lock_file_path attribute set to /home/carlos/morale.txt. Make sure to use the correct data type labels and length indicators. The final object should look like this:

    O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";}
  6. Base64 and URL-encode this object and save it to your clipboard.
  7. Send a request containing the session cookie to Burp Repeater.
  8. In Burp Repeater, replace the session cookie with the modified one in your clipboard.
  9. Send the request. The __destruct() magic method is automatically invoked and will delete Carlos's file.

Community solutions

Emanuele Picariello

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find insecure deserialization vulnerabilities using Burp Suite

Try for free