This lab uses a serialization-based session mechanism. If you can construct a suitable gadget chain, you can exploit this lab's insecure deserialization to obtain the administrator's password.
To solve the lab, gain access to the source code and use it to construct a gadget chain to obtain the administrator's password. Then, log in as the
administrator and delete Carlos's account.
You can access your own account using the following credentials:
Note that solving this lab requires basic familiarity with another topic that we've covered on the Web Security Academy.
To save you some of the effort, we've provided a generic Java program for serializing objects. You can adapt this to generate a suitable object for your exploit. If you don't already have a Java environment set up, you can compile and execute the program using a browser-based IDE, such as
/backup/AccessTokenUser.java. You can successfully request this file in Burp Repeater.
/backupdirectory and notice that it also contains a
ProductTemplate.readObject()method passes the template's
idattribute into a SQL statement.
ProductTemplatewith an arbitrary
id, serializes it, and then Base64-encodes it.
"your-payload-here"string in the
idset to a single apostrophe. Copy the Base64 string and submit it in a request as your session cookie. The error message confirms that the website is vulnerable to Postgres-based SQL injection via this deserialized object.
idattribute in your Java file, recompile it, and paste the new value into your session cookie manually.
add-your-payload-hereto be whatever payload you want. You don't need to change anything else - any adjustments to the offsets and encoding will be handled automatically by Hackvertor.
idattribute to construct a basic
UNIONattack on the
userstable. Enumerate the number of columns (8) and observe that columns 4, 5, and 6 do not expect a string.
userstable using standard SQL injection techniques.
' UNION SELECT NULL, NULL, NULL, cast(password as numeric), NULL, NULL, NULL, NULL FROM users--