Lab: Modifying serialized data types

To access another user's account, you will need to exploit a quirk in how PHP compares data of different types.

Note that PHP's comparison behavior differs between versions. This lab assumes behavior consistent with PHP 7.x and earlier.

1. Log in using your own credentials. In Burp, open the post-login GET /my-account request and examine the session cookie using the Inspector to reveal a serialized PHP object. Send this request to Burp Repeater.
2. In Burp Repeater, use the Inspector panel to modify the session cookie as follows:
   • Update the length of the username attribute to 13.
   • Change the username to administrator.
   • Change the access token to the integer 0. As this is no longer a string, you also need to remove the double-quotes surrounding the value.
   • Update the data type label for the access token by replacing s with i.

   The result should look like this:

   O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}
3. Click "Apply changes". The modified object will automatically be re-encoded and updated in the request.
4. Send the request. Notice that the response now contains a link to the admin panel at /admin, indicating that you have successfully accessed the page as the administrator user.
5. Change the path of your request to /admin and resend it. Notice that the /admin page contains links to delete specific user accounts.
6. Change the path of your request to /admin/delete?username=carlos and send the request to solve the lab.

Emanuele Picariello