This lab uses a serialization-based session mechanism. By deploying a custom gadget chain, you can exploit its insecure deserialization to achieve remote code execution. To solve the lab, delete the
morale.txt file from Carlos's home directory.
You can access your own account using the following credentials:
You can sometimes read source code by appending a tilde (
~) to a filename to retrieve an editor-generated backup file.
/cgi-bin/libs/CustomTemplate.php. Obtain the source code by submitting a request using the
.php~backup file extension.
__wakeup()magic method for a
CustomTemplatewill create a new
Productby referencing the
DefaultMapclass has the
__get()magic method, which will be invoked if you try to read an attribute that doesn't exist for this object. This magic method invokes
call_user_func(), which will execute any function that is passed into it via the
DefaultMap->callbackattribute. The function will be executed on the
$name, which is the non-existent attribute that was requested.
exec(rm /home/carlos/morale.txt)by passing in a
CustomTemplate->default_desc_type = "rm /home/carlos/morale.txt";
CustomTemplate->desc = DefaultMap;
DefaultMap->callback = "exec"
Productconstructor to try and fetch the
DefaultMapobject. As it doesn't have this attribute, the
__get()method will invoke the callback
exec()method on the
default_desc_type, which is set to our shell command.